Security Market Segment LS
Thursday, 18 February 2010 17:40

SANS/CWE top 25 most dangerous programming errors


SANS and MITRE have launched the 2010 edition of the 25 most dangerous error programmers can make (and they do, regularly!)

The Top 25 Most dangerous Programming Errors is not intended as a list of typical bugs and errors made by your average programmer.

Instead it is the dangerous things they do - the things that will attract hackers and other more nasty people.  To quote from the website, it "is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all."

The errors are categorised from the perspective of a variety of interest parties for instance Programmers new to security, experienced security programmers, software project managers etc.  There is also detailed information on each of the programming errors and useful information on how to mitigate the risk.

This article is simply intended to announce the release of the list; it won't spend time describing all the errors, but no-one will be surprised to hear that the top three errors are:

1. Cross-site scripting

2. SQL Injection

3. Buffer overflow.

Quoting again from the site, "The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors and MITRE's Common Weakness Enumeration (CWE).

"MITRE maintains the CWE web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. The CWE site contains data on more than 800 programming errors, design errors, and architecture errors that can lead to exploitable vulnerabilities."

Both programmers and hackers alike will gain much from this information.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.



Recent Comments