The SANS Institute and nearly 30 other organizations joined together to release an updated list of the 25 most common programming errors. The list underscores the need to inject more security into the application development process, experts say.
Roughly 30 national and
international cyber-security organizations released Feb. 16 an updated list of
the 25 most dangerous programming errors as part of an effort to inject security
into the development process.
In addition to the most
common programming errors, the group settled on a standard for contract language between
software buyers and developers to ensure the buyers are not held liable
for buggy code. Such code is at the heart of many breaches, including the
recent Google attacks, the group noted.
CWE/SANS Top 25 Programming Errors list provides critical inputs
every software organization needs to incorporate into their quality and
security processes," said Bill Curtis, director of the Consortium for IT
Software Quality (CISQ), in a statement. "CISQ will be working to incorporate
defined patterns for recognizing these weaknesses into its standardization for
The list was put together
by representatives from various vendors and government agencies, including the
SANS Institute, McAfee and the National Security Agency. The programming
errors are separated into three general groups: insecure interaction between
components, risky resource management and porous defenses. Much of the list
will sound familiar-failure to preserve SQL query structure (SQL injection),
buffer overflow and failure to preserve Web page structure (cross-site
Also included in the
report is the "Focus Profiles" section, which features
rankings of the top 25 errors and 16 others according to
criteria such as programming language or technical impact. The new
list also adds a small set of the most effective "Monster
Mitigations" to help developers eliminate entire groups of
"Developers and security
testers will find more value in the 2010 list," Veracode
CTO Chris Wysopal told eWEEK. "The
focus profiles allow the list to be more useful from different perspectives,
and the Monster Mitigations give great prescriptive advice for eliminating many
of the Top 25 from software."
Developers are becoming
more aware of security flaws, Wysopal continued. Still, there is a long way to
go to improve adoption.
"The impediment is getting
security processes and technology embedded in the software development
lifecycle," he said. "It's adoption and usage. ... Training needs to be adopted
more. I am hopeful that computer-based training tailored to a developer's
language and platform can up the pace of awareness."