The 25 Most Dangerous Programming Errors

Security Experts Unveil List of Common Vulnerabilities and How to Fix Them
The 25 Most Dangerous Programming Errors
As banking regulators emphasize the necessity of application security, a broad-based consortium now sheds new light on the most common vulnerabilities.

Experts from more than 30 U.S. and international cyber security organizations, including the National Security Agency and the Department of Homeland Security's National Cyber Security Division, have just released a list of the 25 most dangerous programming errors that can lead to security bugs and enable cyber crime.

The panel of experts - including thought-leaders from Symantec, Microsoft and Purdue University - worked since last September on this project, breaking down the 25 errors into three categories:

Insecure Interaction Between Components;
Risky Resource Management;
Porous Defense.

The impact of these errors is far reaching. In 2008 just two of them led to more than 1.5 million web site security breaches - cascading onto the computers of people who visited those web sites, turning their computers into zombies.

Coming at a time when banking regulators are focusing more on application security, this list gives banking/security leaders a place to start when assessing the security of their own applications, as well as those developed and managed by vendors.

"An institution can hand this list to their in-house programming staff, software vendors, and third-party service providers and say, 'Are you looking for these 25 errors,'" says Robert Martin, CWE Project Leader at MITRE, who coordinated the work done to develop the list. The SANS Institute and MITRE managed the initiative.

The Top 25 web site ( provides detailed and authoritative information on mitigation. "Now by using the Top 25 we can spend less time working with police after the house has been robbed, and instead focus on getting locks on the doors before it happens." says Paul Kurtz, a principal author of the US National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode).

The Business Value of Secure Software

For many years, organizations have wrestled with the problems of creating secure software, and often learned the hard way, through system failure and breaches, before finding and fixing the bugs. These bugs exist typically because many of the computing errors aren't well understood by programmers who write code, students aren't taught how to avoid them, and the presence of these errors is not frequently tested by companies that develop software.

With this new list, institutions now have a security benchmark, Martin says. "[It's] something tangible, a measurable target that institutions can take action on to show progress on those high level directives from agencies that ask for application security to be strengthened," he says.

Should an institution meet and vet all of their software and applications of these 25 errors, the level of the institution's security will absolutely go up, Martin says. "It doesn't mean they're going to be invulnerable, but the weaknesses covered in the top 25 represent a huge attack surface."

Among the constituencies expected to benefit from the top 25 list:

Software buyers - who will be able to buy safer software by using the Top 25 to vet their purchases.

Programmers - who will have tools that consistently measure the security of the software they are writing.

Colleges - which will be able to teach secure coding more confidently. UC Davis, one of the colleges that participated in developing the Top 25, has already established a secure coding clinic where student-written software is reviewed for the key programming errors that lead to critical security vulnerabilities.

Employers - who can use the Top 25 list as a guide for evaluating and improving skills of programmers or service providers they hire.

Financial Industry Reaction

Industry experts see the Top 25 list as a positive step toward proactively improving application security.

"The researchers did an excellent job of cataloguing the top 25 errors, as well as providing resources to eliminate them," says Avivah Litan, a Gartner Group Distinguished Analyst. "I think there is good reason to be optimistic on this initiative."

With the added awareness that the Top 25 Errors will bring, Litan sees that old applications with vulnerabilities can be remediated and new ones can be developed to close the weak spots upfront before the software is operational. However, she cautions, "The main challenge will be getting this information into the right people's hands and making sure they pay attention to it."

Echoing Litan's optimism is Stephen Katz, former CISO at Citigroup and Merrill Lynch. "Coming up with sound, secure programming techniques is so desperately needed," he says. "Teaching people how to code securely is only overdue by about 20 years."

The focus of securing software and applications hasn't been a top priority at financial institutions because of the onerous tasks that confront them, "but hopefully this Top 25 Error list will make it a priority," Katz says.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network