2010s Top 25 Most Dangerous Programming Errors…

The new report from CWE and the SANS Institute on programming errors has now been released. It is based on the combined thinking of experts across the globe and a number of other sources. It should be made compulsory reading for all software engineers… whether developing internal applications or global products!

The report is relatively reader friendly – so you can skip to the good bits if you are an experienced programmer, or just the bits relevant to testers, mangers etc.

So, what was #1… well, it is all about web page structure – getting it wrong, opens the door to Cross Site Scripting, which we have heard about for several years now – so there is very little excuse for not getting it right.  SQL injection problems come in at #2 and #3 is the classic buffer overflow problem (which was a problem I ran into when I first started using ‘C’ back in the late eighties!)

#10 “Missing encryption of sensitive data” is one that strikes a chord with me – from a Data Leaks perspective. It’s one of the first things I look for when evaluating security in an application. Finally, #16 “Information Exposure through an error message” is good to see highlighted, as it really is becoming a problem – especially in internal apps. Programmers want / need as much information as possible in the event of an error – and so tend to put everything they know about the data record, for which the error has occurred, onto the screen… fine in the old days, but now a lot of that information constitutes a data-leak.

So… a quick email out to developers to take a look at the list – and perhaps a prize for those who find one or two examples in their current projects! (Especially if they then fix them in time for the next release…)

Guy Bunker

February 24, 2010 | Filed Under Education, security 

comments

Leave a Reply