Coalition of Cybersecurity Organizations Reveals 25 Most Dangerous Programming Errors

By Matthew Harwood

Underscoring the importance of cybersecurity for the private and public sectors, a coalition of the world's leading cybersecurity organizations has jointly released a list of the 25 most dangerous programming errors that can lead to vulnerabilities easily exploited by cybercriminals and cyberspies.

Most of the programming errors identified are not well understood by programmers, according to the SANS Institute. Because of this, computer science programs do not teach programmers how to avoid these errors, and software developers do not test for such errors.

In 2008, two of the 25 programming errors identified below caused 1.5 million Web site security breaches.

Scientic American explains how these errors can lead to vulnerabilities:

... you're buying a book online, but the Web site you're using was written with software containing some of these "top 25" errors. In laymen's terms, improper input validation means that a hacker can enter garbage data (random letters, numbers and symbols) into the fields on the Web site's "payment" page, causing that page to malfunction, possibly allowing hackers to access the credit card numbers (along with expiration dates) of the site's customers. The software code doesn't include instructions to check (or validate) whether data entered into a given field is realistic (for example, a 20-digit credit card number should be rejected right away). If the site transfers and stores data in "cleartext" (read: unencrypted), it commits another error on the list and makes the hacker's job even easier.

By identifying the most dangerous errors, cyber security experts and organizations are hoping it will have four effects: safer software, better security tools for programmers, more knowledgeable security coding classes at universities, and more security literate programmers in the private sector.

In a word, experts say, it will lead to more secure networks and technologies.

"The publication of a list of programming errors that enable cyber espionage and cyber crime is an important first step in managing the vulnerability of our networks and technology," said Tony Sager, of the National Security Agency's Information Assurance Directorate and a participant in the compilation of the list. "There needs to be a move away from reacting to thousands of individual vulnerabilities, and to focus instead on a relatively small number of software flaws that allow vulnerabilities to occur, each with a general root cause."

Ryan Berg, co-founder and chief scientist at Ounce Labs, sees the list as a call to arms for cybersecurity professionals.

"Let's use this list as a way to jumpstart the solutions - make 2009 a year to make things happen and solve these problems that have been around way too long," he said.

Aside from the NSA, compiling the list brought other powerhouse cybersecurity organizations together, including the Department of Homeland Security's Cybersecurity Division as well as Microsoft and Symantec. MITRE and the SANS Institute managed the list's creation while the NSA had the idea backed by DHS financial support.

Below, you can view the 25 most dangerous programming errors, courtesy of

  • CWE-20:Improper Input Validation
  • CWE-116:Improper Encoding or Escaping of Output
  • CWE-89:Failure to Preserve SQL Query Structure
  • CWE-79:Failure to Preserve Web Page Structure
  • CWE-78:Failure to Preserve OS Command Structure
  • CWE-319:Cleartext Transmission of Sensitive Information
  • CWE-352:Cross-Site Request Forgery
  • CWE-362:Race Condition
  • CWE-209:Error Message Information Leak
  • CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer
  • CWE-642:External Control of Critical State Data
  • CWE-73:External Control of File Name or Path
  • CWE-426:Untrusted Search Path
  • CWE-94:Failure to Control Generation of Code
  • CWE-494:Download of Code Without Integrity Check
  • CWE-404:Improper Resource Shutdown or Release
  • CWE-665:Improper Initialization
  • CWE-682:Incorrect Calculation
  • CWE-285:Improper Access Control
  • CWE-327:Use of a Broken or Risky Cryptographic Algorithm
  • CWE-259:Hard-Coded Password
  • CWE-732:Insecure Permission Assignment for Critical Resource
  • CWE-330:Use of Insufficiently Random Values
  • CWE-250:Execution with Unnecessary Privileges
  • CWE-602:Client-Side Enforcement of Server-Side Security


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.