1/12/2009

Top 25 programming errors - and how to avoid 'em

Earlier today, the SANS institute published a list of the 25 "most dangerous" programming errors. The language in the press release is a little overblown (for example, "Shockingly, most of these errors are not well understood by programmers"), no doubt to attract the attention of reporters looking for a juicing story. The good news is, the announcement isn't all marketing fluff. It also provides detailed information on how to identify and avoid all the errors listed.

For instance:

1. Click here to open the announcement, then scroll down to "CWE-20: Improper Input Validation."

2. Click on "MORE" to view a summary of the error, including consequences, ease of detection, remediation cost, etc.

3. Click on "CWE-20" at the top of the summary to see examples of the error in Java, C, PHP, etc.

To compile the list, SANS enlisted the help of experts from Symmantec, RedHat, the Department of Homeland Security (DHS), the National Security Agency (NSA), the University of California, and other organizations.

What about you? Do you think the list is on the money? Or do you think the experts missed some key vulnerabilities -- or perhaps overestimated others?

2 comments:

Bill said...

There is a great book I read a few years ago "The 19 Deadly Sins of Software Security" by Michael Howard et. al. These top 25 seem to overlap exactly with the 19 deadly sins.

http://blogs.msdn.com/michael_howard/archive/2005/07/11/437875.aspx

Note that this list is security focused. Although these common mistakes apply to system reliability there are other errors and mistakes that are not as important for security, for example, memory leaks.

Paul N. Leroux said...

Good point. SANS is focused squarely on security, so the list definitely reflects that bias.