Page last updated at 11:09 GMT, Tuesday, 13 January 2009

Dangerous coding errors revealed

Binary code and fiber optic strands
Experts say many of these errors are not well known

The US National Security Agency has helped put together a list of the world's most dangerous coding mistakes.

The 25 entry list contains errors that can lead to security holes or vulnerable areas that can be targeted by cyber criminals.

Experts say many of these errors are not well understood by programmers.

According to the SANS Institute in Maryland, just two of the errors led to more than 1.5m web site security breaches during 2008.

It is thought that this is the first time the industry has reached agreement on the worst things that can creep into software as it is being written.

More than 30 organisations, including the US National Security Agency, the Department of Homeland Security, Microsoft, and Symantec published the document.

THE TOP 25 MOST DANGEROUS PROGRAMMING ERRORS
CWE-20:Improper Input Validation
CWE-116:Improper Encoding or Escaping of Output
CWE-89:Failure to Preserve SQL Query Structure
CWE-79:Failure to Preserve Web Page Structure
CWE-78:Failure to Preserve OS Command Structure
CWE-319:Cleartext Transmission of Sensitive Information
CWE-352:Cross-Site Request Forgery
CWE-362:Race Condition
CWE-209:Error Message Information Leak
CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-642:External Control of Critical State Data
CWE-73:External Control of File Name or Path
CWE-426:Untrusted Search Path
CWE-94:Failure to Control Generation of Code
CWE-494:Download of Code Without Integrity Check
CWE-404:Improper Resource Shutdown or Release
CWE-665:Improper Initialization
CWE-682:Incorrect Calculation
CWE-285:Improper Access Control
CWE-327:Use of a Broken or Risky Cryptographic Algorithm
CWE-259:Hard-Coded Password
CWE-732:Insecure Permission Assignment for Critical Resource
CWE-330:Use of Insufficiently Random Values
CWE-250:Execution with Unnecessary Privileges
CWE-602:Client-Side Enforcement of Server-Side Security
Source: SANS Institute

"The top 25 list gives developers a minimum set of coding errors that must be eradicated before software is used by customers," said Chris Wysopal, chief technology officer with Veracode.

"There appears to be broad agreement on the programming errors," says SANS director, Mason Brown, "Now it is time to fix them."

"We need to make sure every programmer knows how to write code that is free of the top 25 errors."

"Then we need to make sure every programming team has processes in place to find and fix these problems [in existing code] and has the tools needed to verify their code is as free of these errors," he said.

Patrick Lincoln, director of the Computer Science Laboratory at SRI International, told the BBC that if programmers prevented these errors appearing in their code, it would deter the majority of hackers.

"This list is primarily for people who have first responsibility for designing a system. Veteran programmers have probably learnt the hard way whereas a brand new programmer will be making more basic errors."

"The real dedicated serial attacker will probably find a way in even if all these errors were removed. But a high school hacker with malicious intent - ankle-biters if you will - would be deterred from breaking in."

Previously, most advice has focused on vulnerabilities that can result from programming errors. The top 25 list examines the actual programming errors themselves.

The US Office of the Director of National Intelligence, the principal adviser to the President, the National Security Council and the Homeland Security Council also lent their support to the list.

In a statement, they said: "We believe that integrity of hardware and software products is a critical for cyber security. "

"Creating more secure software is a fundamental aspect of system and network security, given that the federal government and the nation's critical infrastructure depend on commercial products for business operations."

"The top 25 is an important component of an overall security initiative for our country. We applaud this effort and encourage the utility of this tool through other venues such as cyber education."

Print Sponsor


SEE ALSO
Alarm raised on teenage hackers
27 Oct 08 |  Technology
Hackers prepare supermarket sweep
28 Aug 08 |  Technology
Cyber crime tool kits go on sale
04 Sep 07 |  Technology
Hacker admits online shop thefts
25 Jul 08 |  North East Wales
Hacker leaks 6m Chileans' records
12 May 08 |  Americas
Hacker brings down police website
10 Jun 08 |  Beds/Bucks/Herts
Hacking and mashing at the Palace
24 Jun 08 |  Technology
Computer course to teach hacking
19 Jun 06 |  Tayside and Central

RELATED INTERNET LINKS
The BBC is not responsible for the content of external internet sites


FEATURES, VIEWS, ANALYSIS
Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit

BBC navigation

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.

Americas Africa Europe Middle East South Asia Asia Pacific