The 2011 CWE/SANS Top 25 Most Dangerous Software Errors report was published by the SANS Institute and MITRE in June (cwe.mitre.org/top25). The report leveraged the SANS Institute’s Tops 20 attack vectors (www.sans.org/top20) and MITRE’s Common Weakness Enumeration (CWE) to develop a list of the most frequent and sever programming errors this year. The report details each error, how it is implemented, what the danger is, and practical ideas for identifying and mitigating it. The report is a fascinating report to read — both its compilation and technical content — and well worth your time even if you are an experienced developer. The report also suggests it would be a valuable read for software project managers, software project customers, and educators. I agree.
Not surprising, the top 25 most dangerous programming errors contain some well known programming mistakes that have been with us for years (decades, in fact).
For example, the first error discussed in the report is SQL Injection. Using
improperly escaped special characters in a SQL query, hackers can steal and/or highjack your data. Skeptical? Ask Sony Pictures, PBS and MySQL.com, they were all victims of attack this year enabled by this common programming mistake. It is
unfortunate, because with a little effort, this programming vulnerability can be easily mitigated.
Also, still in the top 5 is the classic Buffer Overflow problem. This mistake allows hackers to inject more information into a field or variable than it can handle. The resulting “overflow” can contain malicious code and grant hackers access to your system, plant viral code, or simply crash your system. Buffer overflows have been around for decades. Too bad, since these too can
easily be corrected.
Other common mistakes include: OS Command Injection, Cross-site Scripting, Hard Coded Credentials, Unrestricted File Uploads, bogus or flawed cryptography, and Open Redirects. As detailed in the report, all of the errors are very simple to correct and prevent. It would server everyone well — developers, testers, designers, managers and users — to be aware of
these errors, how to identify them, and most importantly, how to mitigate them. Give it a read, it is well worth your time: cwe.mitre.org/top25.