Report: Top 25 Coding Mistakes

An updated list of the top 25 coding errors considered to be responsible for the majority of security vulnerabilities plaguing software was released yesterday, with input from a coalition of government, academic and private sector security organizations.

The most serious common error in programming today leaves software open to SQL injection, which allows attackers to bypass security and gain access to internal data, and which was used in recent attacks by the LulzSec group to breach high-profile targets such as the CIA and an FBI Infragard chapter, according to the latest ranking of the coding errors

The Top 25 list is a product of the Common Weakness Enumeration (CWE) project, managed by Mitre Corp. and the SANS Institute, and co-sponsored by the Homeland Security Department's National Cyber Security Division, to develop a common way for identifying and expressing software programming errors.

This year's list of the Top 25 most serious errors was created with the help of a scoring system and risk analysis framework being developed by the project to prioritize more than 800 common programming weaknesses that have been identified by the program.

The Common Weakness Enumeration originally was released in 2008 with 734 entries; 136 new entries have since been added to the most recent release. The Top 25 list is an effort to prioritize the errors that represent the greatest risks.

"Based primarily on the CWE List and leveraging the SANS Top 20 attack vectors, the main goal of the Top 25 list is to stop vulnerabilities at the source by educating programmers on how to eliminate all-too-common mistakes before software is even shipped," Mitre said in releasing the new list. "Software consumers may also use the list to help them to ask for more secure software, and software managers and CIOs can use the Top 25 as a measuring stick of progress in their efforts to secure their software."

Top weaknesses are identified in three high-level categories: Insecure interaction between components, risky resource management and porous defenses. The No. 1 error in this year's list, "improper neutralization of special elements used in an SQL command," or SQL injection, is included in the insecure interactions category.

SQL injection long has been a recognized problem and moved up one spot from its No. 2 position in last year's list. The top problem in last year's list, cross-site scripting, dropped to No. 4 this year.

Eight new errors made their way into this year's top 25. The highest ranked error from last year's list to be pushed out of this year's was improper access controls that allow improper authorization of users, which was number five last year and does not appear this year.

Preliminary versions of the Common Weakness Scoring System (CWSS) and the Common Weakness Risk Evaluation Framework (CWRAF)  have been released for comment.

"CWSS 0.8 is a significant revision over the previous versions with a better formula, and improvements in the values and weights for individual factors," MITRE said.

"CWRAF provides a way for organizations to apply the Common Weakness Scoring System using specialized scenarios (‘vignettes') that identify the business value context of deployed applications in order to prioritize those software weaknesses in CWE that are most relevant to their own businesses, missions, and deployed technologies," Mitre said. "In conjunction with other activities, CWRAF ultimately helps software developers and consumers to introduce more secure software into their operational environments."

Comments on CWSS and CWRAF can be sent to [email protected].

The Top 25 list on Mitre's site includes links to explanations of each error. The list by name:

  1. Improper neutralization of special elements used in an SQL command ("SQL injection").
  2. Improper neutralization of special elements used in an OS command ("OS command injection").
  3. Buffer copy without checking size of input ("classic buffer overflow").
  4. Improper neutralization of input during Web page generation ("cross-site scripting").
  5. Missing authentication for critical function.
  6. Missing authorization.
  7. Using hard-coded credentials.
  8. Missing encryption of sensitive data.
  9. Unrestricted upload of file with dangerous type.
  10. Reliance on untrusted inputs in a security decision.
  11. Execution with unnecessary privileges.
  12. Cross-site request forgery.
  13. Improper limitation of a pathname to a restricted directory ("path traversal").
  14. Download of code without integrity check.
  15. Incorrect authorization.
  16. Inclusion of functionality from untrusted control sphere.
  17. Incorrect permission assignment for critical resource.
  18. Using a potentially dangerous function.
  19. Using a broken or risky cryptographic algorithm.
  20. Incorrect calculation of buffer size.
  21. Improper restriction of excessive authentication attempts.
  22. URL redirection to untrusted site ("open redirect").
  23. Uncontrolled format string.
  24. Integer overflow or wraparound.
  25. Using a one-way hash without a salt.

About the Author

William Jackson is the senior writer for Government Computer News (