25 most dangerous programming errors
- Date: January 13th, 2009
- Author: Chad Perrin
- Category: Security, vulnerability
- Tags: Computer Security, Programming, Computer, Programming Error, Development Tools, Productivity, Security, Software Development, Software/Web Development, Chad Perrin
Computer security organizations the world over have come together to produce a list of the 25 “most dangerous” programming errors. If you do any programming, it’s time to sit up and take notice.
I’ve interrupted my planned schedule of upcoming articles to bring you something I think should be brought to the attention of any programmers in my audience sooner, rather than later.
The SANS Institute has explanations of the 25 most dangerous programming errors, according to security experts from all over the world working for a number of different computer security organizations. As pointed out early in the article:
The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies.
The 25 errors, organized by type, are:
Insecure Interaction Between Components
- Improper Input Validation
- Improper Encoding or Escaping of Output
- Failure to Preserve SQL Query Structure
- Failure to Preserve Web Page Structure
- Failure to Preserve OS Command Structure
- Cleartext Transmission of Sensitive Information
- Cross-Site Request Forgery
- Race Condition
- Error Message Information Leak
Risky Resource Management
- Failure to Constrain Operations within the Bounds of a Memory Buffer
- External Control of Critical State Data
- External Control of File Name or Path
- Untrusted Search Path
- Failure to Control Generation of Code
- Download of Code Without Integrity Check
- Improper Resource Shutdown or Release
- Improper Initialization
- Incorrect Calculation
Porous Defenses
- Improper Access Control
- Use of a Broken or Risky Cryptographic Algorithm
- Hard-Coded Password
- Insecure Permission Assignment for Critical Resource
- Use of Insufficiently Random Values
- Execution with Unnecessary Privileges
- Client-Side Enforcement of Server-Side Security
More information about the list as a whole, and about each of the individual vulnerabilities, can be found at the CWE/SANS Top 25 Most Dangerous Programming Errors page. This is, in short, a syllabus for one of several secure programming courses that should be taught to everybody looking to pursue a career as a programmer. If you’re a software developer, you should start learning about these vulnerability types, and how to avoid them, without delay.
Special thanks to Sterling Camden, of TechRepublic’s own IT Consulting Weblog, for inspiring me to write this article.
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools. Read his full bio and profile.
Print/View all Posts Comments on this blog
General categories
Sterling "Chip" Camden | 01/13/09
|
|
RE: 25 most dangerous programming errors
yeoman | 01/14/09
|
Hear, Hear...
dinosaur_z | 01/14/09
|
But....
hlhowell@... | 01/15/09
|
|
RE: 25 most dangerous programming errors
admin@... | 01/14/09
|
|
not my job
apotheon | 01/14/09
|
|
Sounds more like they've used a
Tony Hopkinson | 01/15/09
|
|
RE: 25 most dangerous programming errors
Justin James | 01/15/09
|
Wonder what % SQL injection is due to config
seanferd | 01/15/09
|
|
You still have to sanitize input that's going into a query
Sterling "Chip" Camden | 01/15/09
|
|
Sanitizing input
Justin James | 01/16/09
|
|
Rule of thumb
Sterling "Chip" Camden | 01/16/09
|
|
Data I created
Justin James | 01/17/09
|
|
Or you could have dropped a clanger
Tony Hopkinson | 01/18/09
|
|
Ah, right. Thanks.
seanferd | 01/16/09
|
