Will Top 25 list of software errors rescue you from rotten software?

NSA, intelligence community firmly behind software security effort

By Ellen Messmer, Network World
January 12, 2009 04:16 PM ET

. What's this?

Will the Top 25 worst software errors list released Monday be able to rescue customers from rotten software?

That's the palpable hope from some security managers who have backed the government and industry effort to identify the worst programming mistakes that lead to patch-management headaches and even cybercrime and cyber espionage.

With the Top 25 list — which sprang from an effort that began with the Department of Homeland Security seeking to pinpoint which software weaknesses lead to security breaches--there's optimism that software buyers will be able to use this common set of definitions to ask that software vendors fix their mistakes without major legal or financial fuss.

Software security
The Top 25 programming errors

1.	Improper input validation
2.	Improper encoding or escaping of output
3.	Failure to preserve SQL query structure (SQL injection)
4.	Failure to preserve Web page structure (cross-site scripting)
5.	Failure to preserve operating system command structure (OS command injection)
6.	Cleartext transmission of sensitive information
7.	Cross-site request forgery
8.	Race condition
9.	Error message information leak
10.	Failure to constrain operations within the bounds of a memory buffer
11.	External control of critical state data
12.	External control of file name or path
13.	Untrusted search path
14.	Failure to control generation of code (code injection)
15.	Download of code without integrity check
16.	Improper resource shutdown or release
17.	Improper initialization
18.	Incorrect calculation
19.	Porous defenses
20.	Use of a broken or risky cryptographic algorithm
21.	Hard-coded password
22.	Insecure permission assignment for critical resource
23.	Use of insufficiently random values
24.	Execution with unnecessary privileges
25.	Client-side enforcement of server-side security
For in-depth definitions about these Top 25 software-programming errors, visit the Web sites of The SANS Institute and MITRE Corp. at www.sans.org and www.mitre.org
SOURCE: SANS and MITRE

Click to see: The Top 25 programming errors

This list of techie goof-ups starts with "Improper Input Validation" and ends with "Client-Side Enforcement of Server-Side Security." Vendors may simply ignore the list to brush off concerns and evade responsibility, it's pointed out. But some, including New York State, are expected to lead the way in making the Top 25 a big topic of discussion during the software-acquisition process.

Related Content

"What keeps me up at night? Application vulnerabilities," says Will Pelgrin, CISO for the State of New York, and director of the New York State office of cybersecurity and critical infrastructure. Vulnerabilities laid out so neatly in the Top 25 list are "increasingly the vector for attacks," he notes.

Pelgrin strongly supports the effort behind the list, which was pulled together with both industry and government input by MITRE Corp. in its "Common Weakness Enumeration" project.

The list was culled from about 700 fundamental software issues MITRE identified over three years. The basic idea for the project is said to have started with the U.S. government's National Security Agency (NSA).