In association with heise online

29 June 2011, 15:51

Top 25 most dangerous mistakes in software development

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Once a year, the CWE and SANS Institute publish a study into the 25 most commonly made programming mistakes that can, ultimately, lead to critical vulnerabilities in software. In this year's "Top 25 Most Dangerous Software Errors" the top of the bottom of the pile is SQL injection, which is the result of unfiltered or poorly filtered parameters.

Using SQL injection, an attacker can often get access to an entire system's data, which can lead to massive information leaks. SQL injection attacks were, along with DDoS attacks, a favourite of the recently disbanded LulzSec and allowed them to release large numbers of user records and passwords, both in plain text and encrypted; as users often use the same password on different systems, those passwords can be the key to other systems too.

In the number two position came OS command injection, which is when unfiltered parameters are used as part of a command to be executed by the underlying operating system. Still in the top three, classic buffer overflows, described as "still pernicious after all these decades", came in third thanks to their ability to allow code to be injected into running applications.

With the Top 25 list, the Institute hopes to inform developers of the potential hazards that can be created by their programming errors and how they can avoid potential vulnerabilities. The list is the result of a collaboration between SANS, MITRE and various European and American experts. This year's list has been ranked using the new Common Weakness Scoring System (CWSS), which quantifies the nature of a weakness and its potential impact.

Top 25 Most Dangerous Software Errors 2011 (CWE/SANS)
1 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
3 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
4 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
5 Missing Authentication for Critical Function
6 Missing Authorization
7 Use of Hard-coded Credentials
8 Missing Encryption of Sensitive Data
9 Unrestricted Upload of File with Dangerous Type
10 Reliance on Untrusted Inputs in a Security Decision
11 Execution with Unnecessary Privileges
12 Cross-Site Request Forgery (CSRF)
13 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
14 Download of Code Without Integrity Check
15 Incorrect Authorization
16 Inclusion of Functionality from Untrusted Control Sphere
17 Incorrect Permission Assignment for Critical Resource
18 Use of Potentially Dangerous Function
19 Use of a Broken or Risky Cryptographic Algorithm
20 Incorrect Calculation of Buffer Size
21 Improper Restriction of Excessive Authentication Attempts
22 URL Redirection to Untrusted Site ('Open Redirect')
23 Uncontrolled Format String
24 Integer Overflow or Wraparound
25 Use of a One-Way Hash without a Salt


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit