The 25 Most Dangerous Villians

The SANS Institute and the Common Weakness Enumeration initiative at MITRE have collaboratively released the 2009 list of the top 25 most dangerous programming errors. SANS Institute and MITRE led the effort to create the list, but input came from more than 30 of the nation’s top security organizations, including Federal agencies, corporations, universities, and professional coalitions. Interestingly, consensus was reached with little debate.

The top 25 weaknesses group neatly into three risk categories—insecure interaction between components (9 errors), risky resource management (9 errors), and porous defenses (7 errors). According to the SANS press release, “Most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale.” That’s surprising, in light of these facts. Most of the identified problems boil down to poor validation and error checking, and code that relies on trust alone—interfaces that allow preprocessing of text strings, hard-coded passwords, excessively privileged processes, and so on. These same issues have been publicized and discouraged for more than a decade.

Last year, two of the top 25 errors alone caused more than 1.5 million web site security breaches. That’s a real problem that needs to be taken seriously. The Internet isn’t a playground for academics anymore. It’s time to invest in new skills and processes that bring software to a credible standard of reliability.

The full top 25 list is available at MITRE’s Common Weakness Enumeration web site.

►