The 25 Most Dangerous Programming Errors

Security Experts Unveil List of Common Vulnerabilities and How to Fix Them

By Linda McGlasson, January 12, 2009.
The 25 Most Dangerous Programming Errors

A

See Also: Cloud Infrastructure: Same Security Needs, Dynamic New Environment

s banking regulators emphasize the necessity of application security, a broad-based consortium now sheds new light on the most common vulnerabilities.

Experts from more than 30 U.S. and international cyber security organizations, including the National Security Agency and the Department of Homeland Security's National Cyber Security Division, have just released a list of the 25 most dangerous programming errors that can lead to security bugs and enable cyber crime.

The panel of experts - including thought-leaders from Symantec, Microsoft and Purdue University - worked since last September on this project, breaking down the 25 errors into three categories:

Insecure Interaction Between Components;
Risky Resource Management;
Porous Defense.

The impact of these errors is far reaching. In 2008 just two of them led to more than 1.5 million web site security breaches - cascading onto the computers of people who visited those web sites, turning their computers into zombies.

Coming at a time when banking regulators are focusing more on application security, this list gives banking/security leaders a place to start when assessing the security of their own applications, as well as those developed and managed by vendors.

"An institution can hand this list to their in-house programming staff, software vendors, and third-party service providers and say, 'Are you looking for these 25 errors,'" says Robert Martin, CWE Project Leader at MITRE, who coordinated the work done to develop the list. The SANS Institute and MITRE managed the initiative.

The Top 25 web site (cwe.mitre.org/top25/) provides detailed and authoritative information on mitigation. "Now by using the Top 25 we can spend less time working with police after the house has been robbed, and instead focus on getting locks on the doors before it happens." says Paul Kurtz, a principal author of the US National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode).

The Business Value of Secure Software

For many years, organizations have wrestled with the problems of creating secure software, and often learned the hard way, through system failure and breaches, before finding and fixing the bugs. These bugs exist typically because many of the computing errors aren't well understood by programmers who write code, students aren't taught how to avoid them, and the presence of these errors is not frequently tested by companies that develop software.

With this new list, institutions now have a security benchmark, Martin says. "[It's] something tangible, a measurable target that institutions can take action on to show progress on those high level directives from agencies that ask for application security to be strengthened," he says.

Should an institution meet and vet all of their software and applications of these 25 errors, the level of the institution's security will absolutely go up, Martin says. "It doesn't mean they're going to be invulnerable, but the weaknesses covered in the top 25 represent a huge attack surface."

Among the constituencies expected to benefit from the top 25 list:

Software buyers - who will be able to buy safer software by using the Top 25 to vet their purchases.

Programmers - who will have tools that consistently measure the security of the software they are writing.

Colleges - which will be able to teach secure coding more confidently. UC Davis, one of the colleges that participated in developing the Top 25, has already established a secure coding clinic where student-written software is reviewed for the key programming errors that lead to critical security vulnerabilities.

Employers - who can use the Top 25 list as a guide for evaluating and improving skills of programmers or service providers they hire.

Financial Industry Reaction

Industry experts see the Top 25 list as a positive step toward proactively improving application security.

"The researchers did an excellent job of cataloguing the top 25 errors, as well as providing resources to eliminate them," says Avivah Litan, a Gartner Group Distinguished Analyst. "I think there is good reason to be optimistic on this initiative."

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE PCI Issues Security Awareness Guidance

In new guidance from the PCI Council, its leaders outline why businesses that handle card data need...

Latest Tweets and Mentions

ARTICLE PCI Issues Security Awareness Guidance

In new guidance from the PCI Council, its leaders outline why businesses that handle card data need...

The ISMG Network