SANS Top 25 Most Dangerous Coding Errors

Monday, January 26, 2009

Original Source:

Hello, I am Bruce Lowenthal, Director of the Oracle Security Alerts Group. My group is responsible for all communication with external researchers regarding Oracle product vulnerabilities and is also responsible for coordinating the creation and distribution of fixes for product vulnerabilities via Oracle's Critical Patch Update program.

On January 12th, SANS issued a report detailing the Top 25 Most Dangerous Programming Errors. I, as the Oracle representative, was one of many contributors to this paper. In this BLOG I wanted to discuss some of the reasons why a top 25 list of most dangerous programming errors is important to the software development industry.

First, a summary of the paper. The SANS paper contains a list of top 25 programming errors, or really categories of errors, that have resulted in security vulnerabilities where security vulnerabilities are program defects that could allow attackers to read, create, delete or modify data without proper authorization, or to cause a denial of service to resources that provide computing services. These categories were determined by a long list of collaborators including private consultants, members of governmental and security organizations and members of industry like me.

Each of the SANS programing errors is described, its consequences noted and methods to prevent and mitigate each error are provided.

An illustrative example from the SANS list is "Improper Input Validation," which is the class of errors resulting from a lack of validation of input parameter to functions, procedure and applications. A good example from this class is the "buffer overflow" error, where the size of an input parameter exceeds the size of the buffer that was allocated to contain it. Buffer overflows can often be exploited to allow takeover of the application or even the host system. I believe that Improper Input Validation is the leading cause of security vulnerabilities in software.

Why is this list important?

One reason is that it alerts programmers to common programming errors that lead to security vulnerabilities. Just by knowing about such problems, a programmer is more likely to avoid them. The list also includes both "tactical" and architectural advices regarding how to prevent or mitigate such problems. For example, the use of input validation frameworks, such as Struts, is an architectural recommendation to avoid "Improper Input Validation" errors. For tactical advice, the SANS document recommends that programmers avoid using "blacklist" validation of input since common mistakes in defining blacklists can lead to not detecting malicious input. In addition, the SANS list provides mitigation advice. For example, it is recommended that "least privileges" be used so that if a compromise occurs, the potential damage is limited. Of course this advice should be heeded when developing software for any type of application.

Thus, the list of the top 25 programming errors can be used to directly improve the security of programs by providing programmers with an understanding of common vulnerabilities, by setting forth both architectural and tactical recommendations for avoiding vulnerabilities due to these errors, and by recommending methods of mitigating successful exploits of such vulnerabilities. The SANS List may have other effects as well. For example, new publicly available tools for finding, mitigating and avoiding such errors may be developed for general use as a result of this list. Also, people who audit or review programs may use the top 25 list to help them assess software products.

I expect that the SANS top 25 list of programming errors will have a significant effect on the software industry. Software development organizations that review this list and quickly take appropriate action to reduce and eliminate the errors described in the list should have a considerable advantage over competitors that do not.

For More Information:
The SANS Top 25 Most Dangerous Coding Errors is available at

General Network->General Webappsec->General
Post Rating I Like this!
avelin injector