The Sans Institute released not only a top 25 list of dangerous programming errors for developers, but resources for developers to understand and eliminate their coding errors as well. It looks like a prioritization and expansion on the exhaustive list compiled in Mark Dowd, John McDonald and Justin Schuh’s book “The Art of Software Security Assesment“.
The list is being touted as a source of learning for software developers: “Today in Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale.” And its impact is hoped to cover the four following areas:
- Software buyers will be able to buy much safer software.
- Programmers will have tools that consistently measure the security of the software they are writing.
- Colleges will be able to teach secure coding more confidently.
- Employers will be able to ensure they have programmers who can write more secure code.
For example, the first dangerous mistake listed is “Improper Input Validation“, a problem that leads to buffer overflows and drive-by exploits in web browsers like Internet Explorer and Firefox and their plugins like Adobe Reader and Flash, bot and worm network propagation by attacking system services, web server compromise via sql injection and many other malware problems. A fairly lengthy list of Java, C, Sql, and Php programming error examples are provided.
Hopefully comp sci students, teachers and developers around the world will take the time to read and understand this list. At first glance, it appears to be a valuable living resource.