Security Experts ID Top 25 Programming Errors

A group of security experts and luminaries have created a list of the 25 most significant programming errors that can lead to serious software vulnerabilities.

Through an effort coordinated by non-profit research groups The SANS Institute and MITRE, experts from more than thirty US and international cyber security organizations on Monday jointly released the consensus list. The group said the errors are the most common mistakes that lead to security bugs and that enable cyber espionage and cyber crime.

Also see Merkow and Raghavan’s in-depth article ‘Software security for developers’

“Most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale,” according to a statement from the group. “Just two of them led to more than 1.5 million web site security breaches during 2008, and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies.”

The group said the list puts the focus now on actual programming errors made in the process of developing software, rather than the vulnerabilities that result from programming errors.

“With the Top 25, we can spend less time working with police after the house has been robbed and instead focus on getting locks on the doors before it happens.” said Paul Kurtz, a principal author of the US National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode).

The errors have been grouped into 3 categories: Insecure Interaction Between Components, Risky Resource Management, and Porous Defenses. The hope, according to the statement, is that identifying these common mistakes will mean programmers have tools to consistently measure the security of the software they are writing.

“First we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify,” said SANS Director, Mason Brown.

The group said ultimately the list will lead to safer software for buyers, as well as educational benefits, too, in that colleges will be able to teach secure coding more confidently and employers will be able to ensure they have programmers who can write more secure code. The Top 25 list will leverage and not be a competitor to the OWASP Top Ten, because its goal is to capture all kinds of software, not just web applications, officials said.

The list can be viewed at www.sans.org/top25/ and cwe.mitre.org/top25/. The site includes the errors and also provides guidance on how to avoid them for programmers.

Several security experts and organizations provided input to the project. The effort was initially spearheaded by the National Security Agency. Financial support for MITRE’s project engineers came from the US Department of Homeland Security’s National Cyber Security Division.