25 Most Dangerous Programming Errors from the SANS Institute

Posted At : January 12, 2009 1:41 PM | Posted By : Jason Dean
Related Categories: Security

Today the SANS Institute published an article outlining the Top 25 Most Dangerous Programming Errors as defined by, "...more than 30 US and international cyber security organizations..."

From the article:

Today in Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale.

The report looks to be quite thorough and covers the vulnerabilites in great depth. It also discusses prevention and mitigation techniques. I am very excited to dig into the report and learn more.

Some of the Top 25 include:

Our old favorites:

Improper Input Validation
Improper Encoding or Escaping of Output
Failure to Preserve SQL Query Structure
Cross-Site Request Forgery (CSRF)
Error Message Information Leak

And some I have not previously considered:

Download of Code Without Integrity Check
Use of a Broken or Risky Cryptographic Algorithm
Use of Insufficiently Random Values
Failure to Preserve OS Command Structure

Comments (4) |

Print |

Send |

del.icio.us |

Digg It! |

Linking Blogs | 1111 Views

Related Blog Entries

ORM (Hibernate) SQL Injection - Security Series #14 (November 19, 2009)
A Security Project for CFML (February 3, 2009)

Comments

[Add Comment] [Subscribe to Comments]

Really, in an ideal world, every software application should be security tested by a 3rd party... which thankfully is becoming what's generally recommended in the SaaS community. Or so I've read. Thanks for posting this btw. :)

# Posted By ike | 1/12/09 1:53 PM

One does wonder though how you can code in ColdFusion and meet *all* of these. For instance, under Improper Initialization it has listed as a requirement: "Use a language that forces the programmer to explicitly initialize all variables before use. "

# Posted By Mary Jo | 1/26/09 7:52 PM

@Mary Jo - I have to wonder how someone could program in ANY language and meet *all* of these requirements. It would be a very tall order indeed. I was discussing this with someone the other day and we kind of concluded that it probably unreasonable to expect any one team or vender to hit all of these, and to do it correctly. I think they general idea is figuring out how to get as close as possible to all of them. Some of them are no brainers, some are easy to implement. But many are neither. And so the questions are:

How secure does my application need to be? Does ever application need to cover all 25 of these? Do time an budget constraints prevent us from implementing some of these? If so, which ones get cut? What are the risks? etc. etc. etc.

FYI, in the example you cited, if you read a little further, you will see that there is an "out" for languages that do not force developers to initialize their variables ahead of time.

# Posted By Jason Dean | 1/26/09 8:21 PM

Yes, agree with your take on it, it seems to raise as many questions as it does answering them. Some of them certainly are a little hard to interpret in terms of a typical web application. I imagine it will give you some good fodder for more blog articles in the future, in terms of how to take some of these and apply them to CF applications. ;-)

# Posted By Mary Jo | 1/27/09 1:08 PM

[Add Comment]