17 February 2010
http://www.h-online.com/security/news/item/Top-25-Programming-Errors-list-updated-933535.html
Just as they did last year, over thirty international security organisations have come together, to publish a list of the 25 most dangerous programming errors leading to vulnerabilities that can be exploited for cybercrime and espionage. The 2010 CWE/SANS Top 25 MDPE (Most Dangerous Programming Errors) has been updated with a number of improvements to how the errors are graded, prioritised and categorised. For example, new “Focus Profiles” allow readers to quickly see the listed errors sorted for particular professionals’ interests.
A Category based view of the list sorts the errors into “Insecure Interaction”, covering various injection techniques, “Risky Resource Management”, covering buffer overflows or invalid calculations and “Porous Defenses”, which encompasses weaknesses in encryption or authentication. In the overall short list, the top problems were cross site scripting, SQL injection, classic buffer overflows, cross site request forgery and improper access control.
The idea behind the publication of the list is to make developers aware of the causes of many weaknesses and their ramifications in terms of overall security. The list also includes a section on “Monster Mitigations”, a set of practices which, if followed, can help address many of the Top 25 errors or reduce their severity.
Red Hat’s Mark Cox also published an analysis of programming errors Red Hat experienced in 2009. He noted that of the eleven flaws that have affected Red Hat Linux development, 5 were not in the top 25 but four of them were “on the cusp” having just missed inclusion in the CWE/SANS list. Cox says that “2009 was the year of the kernel NULL pointer dereference flaw” but that this flaw didn’t make it to the top 25 as, in 2010, the “Linux kernel and many vendors ship with protections to prevent kernel NULL pointers leading to privilege escalation”.
Organisations that contributed to the compilation of the list include, McAfee, Microsoft, Oracle and Symantec as well as organisations such as the Open Web Application Security Project (OWASP) and the Web Application Security Consortium (WASC).
The initiative is managed by Mitre and the SANS Institute . It receives funding from the US Homeland Security’s National Cyber Security Division and the NSA, who also contributed to compiling the list.
The List –
http://cwe.mitre.org/top25/#Listing
| Rank | Score | ID | Name |
| [1] | 346 | CWE-79 | Failure to Preserve Web Page Structure (‘Cross-site Scripting’) |
| [2] | 330 | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command (‘SQL Injection’) |
| [3] | 273 | CWE-120 | Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) |
| [4] | 261 | CWE-352 | Cross-Site Request Forgery (CSRF) |
| [5] | 219 | CWE-285 | Improper Access Control (Authorization) |
| [6] | 202 | CWE-807 | Reliance on Untrusted Inputs in a Security Decision |
| [7] | 197 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| [8] | 194 | CWE-434 | Unrestricted Upload of File with Dangerous Type |
| [9] | 188 | CWE-78 | Improper Sanitization of Special Elements used in an OS Command (‘OS Command Injection’) |
| [10] | 188 | CWE-311 | Missing Encryption of Sensitive Data |
| [11] | 176 | CWE-798 | Use of Hard-coded Credentials |
| [12] | 158 | CWE-805 | Buffer Access with Incorrect Length Value |
| [13] | 157 | CWE-98 | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP File Inclusion’) |
| [14] | 156 | CWE-129 | Improper Validation of Array Index |
| [15] | 155 | CWE-754 | Improper Check for Unusual or Exceptional Conditions |
| [16] | 154 | CWE-209 | Information Exposure Through an Error Message |
| [17] | 154 | CWE-190 | Integer Overflow or Wraparound |
| [18] | 153 | CWE-131 | Incorrect Calculation of Buffer Size |
| [19] | 147 | CWE-306 | Missing Authentication for Critical Function |
| [20] | 146 | CWE-494 | Download of Code Without Integrity Check |
| [21] | 145 | CWE-732 | Incorrect Permission Assignment for Critical Resource |
| [22] | 145 | CWE-770 | Allocation of Resources Without Limits or Throttling |
| [23] | 142 | CWE-601 | URL Redirection to Untrusted Site (‘Open Redirect’) |
| [24] | 141 | CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
| [25] | 138 | CWE-362 | Race Condition |
8 comments
Hosea Pieri says:
April 13, 2010 at 10:50 am (UTC 5.5)
I don’t agree with everything in this blog post, but you do make some very good points. Im very interested in this matter and I myself do alot of research as well. Either way it was a well thoughtout and nice read so I figured I would leave you a comment. Feel free to check out my website sometime and let me know what you think.
Thomas Gerling says:
April 19, 2010 at 8:36 pm (UTC 5.5)
I’m pleased I discovered this blog page, I couldnt obtain any info on this subject matter before. Also run a website and in case you are ever serious in doing a bit of visitor writing for me make sure you feel free to let me know, im always look for people to check out my web page. Please stop by and leave a comment sometime!
Cordie Rynders says:
April 20, 2010 at 4:37 am (UTC 5.5)
Excellent write-up, this is very similar to a site that I have. Please check it out sometime and feel free to leave me a comenet on it and tell me what you think. Im always looking for feedback.
Randy Nusom says:
April 21, 2010 at 12:29 am (UTC 5.5)
This is a very fascinating post, I was looking for this info. Just so you know I found your weblog when I was searching for blogs like mine, so please check out my site sometime and leave me a comment to let me know what you think.
Loren Adjei says:
April 21, 2010 at 10:46 pm (UTC 5.5)
This is a very important post, I was looking for this info. Just so you know I located your weblog when I was checking for blogs like mine, so please check out my site sometime and leave me a comment to let me know what you think.
Maple Beyerl says:
April 23, 2010 at 4:58 am (UTC 5.5)
I have read a few of the articles on your website now, and I really like your style of blogging. I added it to my favorites website list and will be checking back soon. Please check out my site as well and let me know what you think.
Branden Hirata says:
April 24, 2010 at 6:54 am (UTC 5.5)
This is a fantastic post, I located your web site searching yahoo for a similar subject matter and came to this. I couldnt discover to much alternative material on this piece, so it was great to find this one. I probably will be returning to look at some other articles that you have another time.
Wendie Saro says:
April 26, 2010 at 10:28 pm (UTC 5.5)
This is a useful post, but I was wondering how do I suscribe to the RSS feed?