The 25 most dangerous programming errors that lead to security bugs and enable cybercrime have been identified.
Experts from more than 30 US and international cyber security organizations jointly released the consensus list and claimed that most of the errors are not well understood by programmers.
Project manager Bob Martin of MITRE, claimed that their avoidance is not widely taught by computer science programs and their presence is frequently not tested by organisations developing software for sale.
The Top 25 focuses on actual programming errors that are made by developers that create the vulnerabilities. The impact of these errors is far reaching, with just two of them leading to more than 1.5 million security breaches during 2008.
The list includes: improper input validation; improper encoding or escaping of output; failure to preserve SQL query structure (aka ‘SQL injection'); failure to preserve web page structure (aka 'cross-site scripting'); failure to preserve OS command structure (aka ‘OS command injection'); download of code without integrity check; cleartext transmission of sensitive information and failure to control generation of code (aka ‘code injection').
Chris Wysopal, co-founder and CTO of Veracode, said: “A prioritised list of security issues is the starting point to make software security practical in the business world of resource constraints and ship dates. The Top 25 list gives developers a minimum set of coding errors that must be eradicated before software is used by customers.”
Mason Brown, SANS Director, said: “There appears to be broad agreement on the programming errors. Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify.”
A statement from the US Office of the Director of National Intelligence expressed its support, saying: “We believe that integrity of hardware and software products is a critical element of cybersecurity. Creating more secure software is a fundamental aspect of system and network security, given that the federal government and the nation's critical infrastructure depend on commercial products for business operations.
“The Top 25 is an important component of an overall security initiative for our country. We applaud this effort and encourage the utility of this tool through other venues such as cyber education.”