Top 25 Most Dangerous Programming Errors Revealed

Cross-Site Scripting tops the list, which is designed to help businesses build security into the software procurement process.

Thomas Claburn, Editor at Large, Enterprise Mobility

February 16, 2010

3 Min Read

A group of over 30 national and international computer security groups on Tuesday released a list of the 25 most dangerous programming errors as part of an effort to make the custom software business more accountable.

For the U.S., where recent cyber attacks against Google and dozens of other companies have underscored the porousness of computer networks, this is a welcome development.

"We believe that integrity of hardware and software products is a critical element of cybersecurity," The Office of the Director of National Intelligence said in a statement. "Creating more secure software is a fundamental aspect of system and network security, given that the federal government and the nation's critical infrastructure depend on commercial products for business operations. The Top 25 programming errors initiative is an important component of an overall security initiative for our country. We applaud this effort and encourage the utility of this tool through other venues such as cyber education."

Earlier this month, Dennis C. Blair, Director of National Intelligence, told the Senate Intelligence Committee that U.S. critical infrastructure is "severely threatened" by cyber attacks.

Because many cyber threats rely on software vulnerabilities, there's a broad effort to improve computer science education so that programmers become better at writing secure code.

On a phone briefing for reporters, Alan Paller, director of research at the SANS Institute, said that one of the goals of the Top 25 list is to help companies avoid being in the situation faced by Siemens recently.

According to Paller, Siemens in 2008 paid over 100,000 Euros for a software package and found that security wasn't part of the deal. After weeks of negotiations, the company had to pay about 145,000 Euros more to make its custom software secure.

By providing detailed information about common software programming problems, SANS, MITRE and the other security organizations that compiled the list hope that software buyers and software vendors will be able to create contracts that require custom code to be free of the Top 25 errors. The goal is to force vendors to test the security of their software and to provide customers with their test results.

"No one likes to share test results that show them writing bad code," said Paller.

Toward that end, the procurement language used by the State of New York and other state governments is being changed to ensure that these Top 25 errors are avoided. Other states are likely to follow.

Awareness of the Top 25 errors is also likely to be reflected in university computer science courses and in employers' evaluations of programmers.

The Top 25 list includes:

1) CWE-79 - Failure to Preserve Web Page Structure ('Cross-site Scripting')
2) CWE-89 - Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
3) CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
4) CWE-352 - Cross-Site Request Forgery (CSRF)
5) CWE-285 - Improper Access Control (Authorization)
6) CWE-807 - Reliance on Untrusted Inputs in a Security Decision
7) CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
8) CWE-434 - Unrestricted Upload of File with Dangerous Type
9) CWE-78 - Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
10) CWE-311 - Missing Encryption of Sensitive Data

For further information, see's Web site.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights