Top 25 Programming Errors list updated
Just as they did last year, over thirty international security organisations have come together, to publish a list of the 25 most dangerous programming errors leading to vulnerabilities that can be exploited for cybercrime and espionage. The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors has been updated with a number of improvements to how the errors are graded, prioritised and categorised. For example, new "Focus Profiles" allow readers to quickly see the listed errors sorted for particular professionals' interests.
A Category based view of the list sorts the errors into "Insecure Interaction", covering various injection techniques, "Risky Resource Management", covering buffer overflows or invalid calculations and "Porous Defenses", which encompasses weaknesses in encryption or authentication. In the overall short list, the top problems were cross site scripting, SQL injection, classic buffer overflows, cross site request forgery and improper access control.
The idea behind the publication of the list is to make developers aware of the causes of many weaknesses and their ramifications in terms of overall security. The list also includes a section on "Monster Mitigations", a set of practices which, if followed, can help address many of the Top 25 errors or reduce their severity.
Red Hat's Mark Cox also published an analysis of programming errors Red Hat experienced in 2009. He noted that of the eleven flaws that have affected Red Hat Linux development, 5 were not in the top 25 but four of them were "on the cusp" having just missed inclusion in the CWE/SANS list. Cox says that "2009 was the year of the kernel NULL pointer dereference flaw" but that this flaw didn't make it to the top 25 as, in 2010, the "Linux kernel and many vendors ship with protections to prevent kernel NULL pointers leading to privilege escalation".
Organisations that contributed to the compilation of the list include, McAfee, Microsoft, Oracle and Symantec as well as organisations such as the Open Web Application Security Project (OWASP) and the Web Application Security Consortium (WASC).
The initiative is managed by Mitre and the SANS Institute . It receives funding from the US Homeland Security's National Cyber Security Division and the NSA, who also contributed to compiling the list.