This year’s list of the 25 Most Dangerous Programming Errors has been published by the CWE project, which is a cooperative venture between the MITRE Corp., the SANS Institute, and numerous software security experts in the US and Europe.
The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.
It is based, in part, on the Common Weakness Enumeration data, maintained by MITRE in conjunction with the US Department of Homeland Security, and on the SANS list of Top 20 Attack Vectors. The error list is meant to help educate developers, managers, and software customers about the kinds of too-common errors that cause so many security flaws in software. The list contains detailed discussion of the errors, along with information about the circumstances and environments in which they are most common, and advice on mitigating their impact.
Reading through the list can be a sobering experience. The venerable buffer overflow bug is still in the number 3 position (although it is down from number 1 last year), which is a bit depressing since it was a buffer overflow vulnerability that was exploited by the very first Internet worm (the Morris worm) back in the late 1980s. The number 1 and 2 positions this year are occupied by two other old favorites: cross-site scripting, and SQL injection. It has been said that the invention of writing and the printing press allowed knowledge to be captured and passed along to future generations. Software development managers know that this theory is sometimes less than totally apparent in practice.
Still, it is a hopeful sign, I think, that this kind of information is being collected and published. If software is to become a real engineering discipline, a body of knowledge about what works and what doesn’t is essential. The plural of “anecdote” is not “data”.