TG #21: Dangerous Programming Errors

January 26, 2009 – 11:45 pm

The Top 25 Most Dangerous Programming Errors have been released. Not in a horrifically violent prison break-out or anything, though; a news release did the trick. We’ll review these, and review some Lame News, on this Tweak and Geek.

Programming Errors

SANS Institute Releases Most Dangerous 25 Programming Errors

“Today in Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime.”

These errors are said not to be well understood by programmers. This announcement focuses more on the source of vulnerabilities (from a programmatic standpoint) rather than the vulnerabilities themselves (disease rather than symptom).

SANS predicts four major impacts of this list:

  • Software buyers will be able to buy much safer software.
  • Programmers will have tools that consistently measure the security of the software they are writing.
  • Colleges will be able to teach secure coding more confidently.
  • Employers will be able to ensure they have programmers who can write more secure code.

Insecure Interaction Between Components

  • CWE-20: Improper Input Validation
  • CWE-116: Improper Encoding or Escaping of Output
  • CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)
  • CWE-79: Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)
  • CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)
  • CWE-319: Cleartext Transmission of Sensitive Information
  • CWE-352: Cross-Site Request Forgery (CSRF)
  • CWE-362: Race Condition
  • CWE-209: Error Message Information Leak

Risky Resource Management

  • CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
  • CWE-642: External Control of Critical State Data
  • CWE-73: External Control of File Name or Path
  • CWE-426: Untrusted Search Path
  • CWE-94: Failure to Control Generation of Code (aka ‘Code Injection’)
  • CWE-494: Download of Code Without Integrity Check
  • CWE-404: Improper Resource Shutdown or Release
  • CWE-665: Improper Initialization
  • CWE-682: Incorrect Calculation

Porous Defenses

  • CWE-285: Improper Access Control (Authorization)
  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  • CWE-259: Hard-Coded Password
  • CWE-732: Insecure Permission Assignment for Critical Resource
  • CWE-330: Use of Insufficiently Random Values
  • CWE-250: Execution with Unnecessary Privileges
  • CWE-602: Client-Side Enforcement of Server-Side Security

How can you, as a SW engineer, help to curtail these? How many have you seen in the wild? How many have you perpetrated? And none of these are really new, so — will this list even help?

Lamest News of the Week
(Craig) Would-be bride, 107, seeks her first husband

BEIJING – A 107-year-old Chinese woman who was afraid to marry when she was young has decided to look for her first husband and hopes to find a fellow centenarian so they will have something to talk about, a Chinese paper reported.

Anybody got her number?

(Pat) Mac’s discussion at MacWorld
So, docs can be easily shared with others? Google Docs does that already. And it’s free.

(Laurie) Australian’s Pull no punches when it comes to shark attacks
They always say you should punch a shark to make it let you go. Hopefully Laurie’s travelling friend Edmund won’t have to put this tip to use!

Listener-driven Episode 22
Call, email, or comment! We’re going to build episode 22 of T&G entirely from user ideas, suggestions, and stories. Submit them by February 6th, or it could be a short episode.

TrackBack URI for this entry is
  1. 3 Responses to “TG #21: Dangerous Programming Errors”

  2. We forgot the most important two:

    26. Pat misnumbering episodes, as “22” will probably be “25” or so.
    27. Craig.

    By Pat on Jan 27, 2009

  3. Thanks for highlighting SANS and the Top 25 Most Dangerous Programming Errors on Tweak and Geek!

    We’ve got lots of other Free Resources in addition to our computer security training courses. Here’s the url to the SANS homepage for more info:

    By Sharon Gonsalves on Jan 27, 2009

  4. I have made some(most) of these errors when I was but a young coder. Some I was able to correct, some I left for others.

    Good show in all. I like the geeky stuff!

    By ShadesOfGrey on Jan 28, 2009

Post a Comment