Report Names 25 Most Dangerous Programming Errors in Today's Software

IT professionals from more than 30 private- and public-sector organizations created a list of 25 widespread programming errors, and they hope the information will change the way programmers write software, therefore drastically reducing vulnerabilities that can be exploited.

The 2009 CWE/SANS Top 25 Most Dangerous Programming Errors list, publicly released on Jan. 12, 2009, delineates programming errors and ways IT professionals can avoid them. The list is the result of collaboration between the U.S. National Security Agency; the SANS Institute, a security training organization; the MITRE Corp., a nonprofit technology and engineering research and development organization; and numerous security experts from around the world.

Video: Staff Writer Hilton Collins shows us how vulnerability is written into code.

"One of our primary audiences for the top 25 [is] software developers -- to basically give them a handy checklist to raise their awareness," said Steven Christey, a principal information security engineer at MITRE who was the list's document editor. "We viewed it as a tool for awareness as well as to provide consumers with a way of asking for secure software that was measurable and specific."

Designers and programmers are the chief intended audience for the information. The weaknesses include poor cross-site scripting, failure to preserve the operating system command structure and error messages that disclose too much information. According to the report, these 25 programming errors "are dangerous because they will frequently allow attackers to completely take over the software, steal data or prevent the software from working at all." They occur frequently and are easy to find and exploit.

The entries are divided into three categories: nine related to insecure ways in which data is sent and received between system components, nine related to improper management of system resources and seven related to defensive techniques that are often misused, abused or ignored. Each of the 25 is listed with ways programmers can prevent or mitigate them.

Christey said the list gives state and local governments something to refer to when specifying what they want from programmers developing custom code for their jurisdictions. His colleague, Allan Paller, director of research at the SANS Institute and one of the list's project coordinators, concurred that IT leaders in general can use the list to their advantage.

"Before this announcement, you had no way to tell them what to avoid," he said. "You had no way to write a contract with the people who wrote software for you saying, ‘If you write code with these holes in it, you're going to be economically liable for the problems that it causes.'"

Paller also said the list can help universities refine how they train programmers and how programmers test the software they create. It also, obviously, informs people about what specific weaknesses they can target when writing code.

"The point is to change software from full-of-holes to not-so-full-of-holes," Paller said.

The list came about after the National Security Agency contacted the SANS Institute in late 2007 about identifying the worst programming errors that would lead to vulnerabilities. SANS then contacted the MITRE Corp., which had already compiled the Common Weakness Enumeration (CWE) list of software weakness. SANS and MITRE worked with more than 30 organizations to refine and create the CWE/SANS Top 25 Most Dangerous Programming Errors list.