This year’s list of the 25 Most Dangerous Programming Errors [downloadable PDF] has been published by the CWE project, which is a cooperative venture between the MITRE Corp., the SANS Institute, and numerous software security experts in the US and Europe.
The 2011 CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.
The list is issued annually (I wrote about the 2010 list here), and is meant to provide information that allows software developers, their customers, and their managers to focus on a small, but important, set of potential security flaws. This year’s list introduces a new priority scoring system, using input from more than 20 different organizations, based on prevalence, importance, and likelihood of exploit
Once again, we see that many of the top positions on the list are filled by perennial favorites. SQL Injection takes the number 1 spot this year, followed by OS Command Injection. Cross-Site Scripting, in the top spot last year, has fallen to number 4, but Buffer Overflow, a venerable and sentimental favorite, hangs in there at number 3. The report classifies the Top 25 into three broad categories:
- Insecure Interaction between Components (6 entries)
- Risky Resource Management (8 entries)
- Porous Defenses (11 entries)
Neil McAllister, at InfoWorld, has a column on the Top 25 report; as he says, “… the bad news is how few surprises it contains.” He also makes the very important pint that developers should not place too much reliance on security features of their chosen platform.
For example, managed languages such as Java and C# eliminate the possibility of buffer overruns by doing bounds-checking at runtime. …. But neither Java nor C# does anything to protect you from SQL-injection vulnerabilities caused by poorly validated user input ..
If nothing else, the list should remind us that getting security right is hard. It should be required reading for all developers and development managers.