25 Most Dangerous Programming Errors from the SANS Institute

Today the SANS Institute published an article outlining the Top 25 Most Dangerous Programming Errors as defined by, "...more than 30 US and international cyber security organizations..."

From the article:

Today in Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale.

The report looks to be quite thorough and covers the vulnerabilites in great depth. It also discusses prevention and mitigation techniques. I am very excited to dig into the report and learn more.

Some of the Top 25 include:

Our old favorites:

  • Improper Input Validation
  • Improper Encoding or Escaping of Output
  • Failure to Preserve SQL Query Structure
  • Cross-Site Request Forgery (CSRF)
  • Error Message Information Leak

And some I have not previously considered:

  • Download of Code Without Integrity Check
  • Use of a Broken or Risky Cryptographic Algorithm
  • Use of Insufficiently Random Values
  • Failure to Preserve OS Command Structure

Related Blog Entries

ike's Gravatar Really, in an ideal world, every software application should be security tested by a 3rd party... which thankfully is becoming what's generally recommended in the SaaS community. Or so I've read. Thanks for posting this btw. :)
# Posted By ike | 1/12/09 1:53 PM
Mary Jo's Gravatar One does wonder though how you can code in ColdFusion and meet *all* of these. For instance, under Improper Initialization it has listed as a requirement: "Use a language that forces the programmer to explicitly initialize all variables before use. "
# Posted By Mary Jo | 1/26/09 7:52 PM
Jason Dean's Gravatar @Mary Jo - I have to wonder how someone could program in ANY language and meet *all* of these requirements. It would be a very tall order indeed. I was discussing this with someone the other day and we kind of concluded that it probably unreasonable to expect any one team or vender to hit all of these, and to do it correctly. I think they general idea is figuring out how to get as close as possible to all of them. Some of them are no brainers, some are easy to implement. But many are neither. And so the questions are:

How secure does my application need to be? Does ever application need to cover all 25 of these? Do time an budget constraints prevent us from implementing some of these? If so, which ones get cut? What are the risks? etc. etc. etc.

FYI, in the example you cited, if you read a little further, you will see that there is an "out" for languages that do not force developers to initialize their variables ahead of time.
# Posted By Jason Dean | 1/26/09 8:21 PM
Mary Jo's Gravatar Yes, agree with your take on it, it seems to raise as many questions as it does answering them. Some of them certainly are a little hard to interpret in terms of a typical web application. I imagine it will give you some good fodder for more blog articles in the future, in terms of how to take some of these and apply them to CF applications. ;-)
# Posted By Mary Jo | 1/27/09 1:08 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner