The 25 most dangerous programming errors
More than 30 international security companies and organisations have agreed on a list of the top 25 most dangerous programming errors that can lead to security issues, which may be exploited by criminals. For example, in 2008, just two of the errors on the list led to over 1.5 million security breaches. Many of the errors are not widely understood by developers and the idea behind the list is to use it as a tool for educating programmers in how to avoid them. Among the top 25 errors are insufficient input validation, buffer overflows and poor access control.
The initiative is managed by Mitre and the SANS institute. It receives funding from the US Homeland Security's National Cyber Security Division and the NSA, who contributed to compiling the list. Among those also helping with the compilation were CERT, Microsoft, Oracle, Red Hat, Apple and Symantec. It is reported that the contributors came to a rapid agreement on what should make up the top 25.
The long term goals of the project are –
- Making software more secure for buyers by requiring certification by vendors that software is free of the 25 errors
- Getting software testing tools able to detect the errors
- Training educators to be able to teach more secure programming practices
- Providing a guide to employers to determine if programmers are writing code free of these errors
The working group divided the top 25 into three categories; unsafe interaction between components, risky resource management and porous defences. For each error, the initiative provides a description, assessment, examples of the error and the mistakes to avoid.
- Experts Announce Agreement on the 25 Most Dangerous Programming Errors - And How to Fix Them, SANS/Mitre announcement
- 2009 CWE/SANS Top 25 Most Dangerous Programming Errors
- SANS hit list of security vulnerabilities - Windows out in front, heise Security report