25 most dangerous software coding errors that help cyber criminals revealed

Subscribe to Oneindia News

London, Jan 14 (ANI): The US National Security Agency along with 30 organisations have put together a list of the 25 most dangerous coding mistakes in the world.

The list contains errors, which may disclose a number of security holes or vulnerable areas that can be targeted by cyber criminals.

According to experts, many of these errors are not well understood by programmers.

The SANS Institute in Maryland said that in 2008, just two of the errors led to more than 1.5m web site security breaches.

This is believed to be the first time the industry has reached agreement on the worst things that can creep into software while it is being written.

The organisations, which helped making the list, include the US National Security Agency, the Department of Homeland Security, Microsoft, and Symantec published the document.

"The top 25 list gives developers a minimum set of coding errors that must be eradicated before software is used by customers," the BBC quoted Chris Wysopal, chief technology officer with Veracode, as saying.

SANS director, Mason Brown said: "There appears to be broad agreement on the programming errors. Now it is time to fix them. We need to make sure every programmer knows how to write code that is free of the top 25 errors."

While, most of the earlier advice focused on vulnerabilities that could have originated from programming errors, the 25 list examines the actual programming errors themselves.

The 25 Most Dangerous Programming Errors are:

CWE-20:Improper Input Validation

CWE-116:Improper Encoding or Escaping of Output

CWE-89:Failure to Preserve SQL Query Structure

CWE-79:Failure to Preserve Web Page Structure

CWE-78:Failure to Preserve OS Command Structure

CWE-319:Cleartext Transmission of Sensitive Information

CWE-352:Cross-Site Request Forgery

CWE-362:Race Condition

CWE-209:Error Message Information Leak

CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer

CWE-642:External Control of Critical State Data

CWE-73:External Control of File Name or Path

CWE-426:Untrusted Search Path

CWE-94:Failure to Control Generation of Code

CWE-494:Download of Code Without Integrity Check

CWE-404:Improper Resource Shutdown or Release

CWE-665:Improper Initialization

CWE-682:Incorrect Calculation

CWE-285:Improper Access Control

CWE-327:Use of a Broken or Risky Cryptographic Algorithm

CWE-259:Hard-Coded Password

CWE-732:Insecure Permission Assignment for Critical Resource

CWE-330:Use of Insufficiently Random Values

CWE-250:Execution with Unnecessary Privileges

CWE-602:Client-Side Enforcement of Server-Side Security (ANI)

Please Wait while comments are loading...