Top 25 Programming Errors Highlight Application Security Challenges

The SANS Institute and nearly 30 other organizations joined together to release an updated list of the 25 most common programming errors. The list underscores the need to inject more security into the application development process, experts say.

Roughly 30 national and international cyber-security organizations released Feb. 16 an updated list of the 25 most dangerous programming errors as part of an effort to inject security into the development process.

In addition to the most common programming errors, the group settled on a standard for contract language between software buyers and developers to ensure the buyers are not held liable for buggy code. Such code is at the heart of many breaches, including the recent Google attacks, the group noted.

"The CWE/SANS Top 25 Programming Errors list provides critical inputs every software organization needs to incorporate into their quality and security processes," said Bill Curtis, director of the Consortium for IT Software Quality (CISQ), in a statement. "CISQ will be working to incorporate defined patterns for recognizing these weaknesses into its standardization for security measurement."

The list was put together by representatives from various vendors and government agencies, including the SANS Institute, McAfee and the National Security Agency. The programming errors are separated into three general groups: insecure interaction between components, risky resource management and porous defenses. Much of the list will sound familiar-failure to preserve SQL query structure (SQL injection), buffer overflow and failure to preserve Web page structure (cross-site scripting).

Also included in the report is the "Focus Profiles" section, which features rankings of the top 25 errors and 16 others according to criteria such as programming language or technical impact. The new list also adds a small set of the most effective "Monster Mitigations" to help developers eliminate entire groups of bugs.

"Developers and security testers will find more value in the 2010 list," Veracode CTO Chris Wysopal told eWEEK. "The focus profiles allow the list to be more useful from different perspectives, and the Monster Mitigations give great prescriptive advice for eliminating many of the Top 25 from software."

Developers are becoming more aware of security flaws, Wysopal continued. Still, there is a long way to go to improve adoption.

"The impediment is getting security processes and technology embedded in the software development lifecycle," he said. "It's adoption and usage. ... Training needs to be adopted more.  I am hopeful that computer-based training tailored to a developer's language and platform can up the pace of awareness."