5 Days Left to Save $200 on Automotive Cybersecurity Summit 2017

CWE/SANS TOP 25 Most Dangerous Software Errors


Experts Announce Agreement on the 25 Most Dangerous Programming Errors - And How to Fix Them
Agreement Will Change How Organizations Buy Software.

Project Manager: Bob Martin, MITRE
Questions: top25@sans.org

View the Top 25 Programming Errors for 2010 Here

(January 12, 2009) Today in Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these programming errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale.

The impact of these programming errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies.

People and organizations that provided substantive input to the project are listed below. They are among the most respected security experts and they come from leading organizations ranging from Symantec and Microsoft, to DHS's National Cyber Security Division and NSA's Information Assurance Division, to OWASP and the Japanese IPA, to the University of California at Davis and Purdue University.

The MITRE and the SANS Institute managed the Top 25 Programming Errors initiative, but the impetus for this project came from the National Security Agency and financial support for MITRE's project engineers came from the US Department of Homeland Security's National Cyber Security Division. The Information Assurance Division at NSA and National Cybersecurity Division at DHS have consistently been the government leaders in working to improve the security of software purchased by the government and by the critical national infrastructure.

What was remarkable about the process was how quickly all the experts came to agreement, despite some heated discussion.

"There appears to be broad agreement on the programming errors," says SANS Director, Mason Brown, "Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the Top 25 programming errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify."

The Office of the Director of National Intelligence expressed its support saying,

"We believe that integrity of hardware and software products is a critical element of cybersecurity. Creating more secure software is a fundamental aspect of system and network security, given that the federal government and the nation's critical infrastructure depend on commercial products for business operations. The Top 25 programming errors initiative is an important component of an overall security initiative for our country. We applaud this effort and encourage the utility of this tool through other venues such as cyber education."

Until now, most guidance focused on the 'vulnerabilities' that result from programming errors. This is helpful. The Top 25, however, focuses on the actual programming errors, made by developers that create the vulnerabilities. As important, the Top 25 Programming errors web site provides detailed and authoritative information on mitigation.

"Now, with the Top 25, we can spend less time working with police after the house has been robbed and instead focus on getting locks on the doors before it happens." said Paul Kurtz, a principal author of the US National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode).

What You Will Find In This Announcement:

Translations of Top 25 Programming Error Announcement

Which People and Organizations Made Substantive Contributions to the Top 25 Programming Errors List?

Please note that the proposed procurement guidelines incorporate in part language utilizing the OWASP Secure Software Contract Annex.

  • Robert C. Seacord, CERT
  • Pascal Meunier, CERIAS, Purdue University
  • Matt Bishop, University of California, Davis
  • Kenneth van Wyk, KRvW Associates
  • Masato Terada, Information-Technology Promotion Agency (IPA), (Japan)
  • Sean Barnum, Cigital, Inc.
  • Mahesh Saptarshi and Cassio Goldschmidt, Symantec Corporation
  • Adam Hahn, MITRE
  • Jeff Williams, Aspect Security
  • Carsten Eiram, Secunia
  • Josh Drake, iDefense Labs at VeriSign, Inc.
  • Chuck Willis, MANDIANT
  • Michael Howard, Microsoft
  • Bruce Lowenthal, Oracle Corporation
  • Mark J. Cox, Red Hat Inc.
  • Jacob West, Fortify Software
  • Djenana Campara, Hatha Systems
  • James Walden, Northern Kentucky University
  • Frank Kim, ThinkSec
  • Chris Eng and Chris Wysopal, Veracode, Inc.
  • Ryan Barnett, Breach Security
  • Antonio Fontes, New Access SA, (Switzerland)
  • Mark Fioravanti II, Missing Link Security Inc.
  • Ketan Vyas, Tata Consultancy Services (TCS)
  • Lindsey Cheng, Ian Peters and Tom Burgess, Secured Sciences Group, LLC
  • Hardik Parekh and Matthew Coles, RSA - Security Division of EMC Corporation
  • Mouse
  • Ivan Ristic
  • Apple Product Security
  • Software Assurance Forum for Excellence in Code (SAFECode)
  • Core Security Technologies Inc.
  • Depository Trust & Clearing Corporation (DTCC)
  • The working group at the first OWASP ESAPI Summit
  • National Security Agency (NSA) Information Assurance Division
  • Department of Homeland Security (DHS) National Cyber Security Division

Robert Martin, CWE Project Leader at MITRE heralded the effort of these contributors by saying, "It is gratifying to see the amount of collaboration and energy that all these serious, security-savvy people invested in making this list as accurate and authoritative as it can be. Very impressive!"

How Will the Top 25 Programming Errors Be Used?

The Top 25 Programming Errors will have four major impacts:

  • Software buyers will be able to buy much safer software.
  • Programmers will have tools that consistently measure the security of the software they are writing.
  • Colleges will be able to teach secure coding more confidently.
  • Employers will be able to ensure they have programmers who can write more secure code.

First, software buyers will be able to buy much safer software.

Buyers will require that software vendors certify in writing that the code they are delivering is free of these 25 programming errors. Certification shifts responsibility to the vendor for correcting the errors and for any damage caused by those programming errors. The standard procurement language under development by the State of New York and other state governments already is being adjusted to use the Top 25 Programming Errors. Over time the multi-national Common Criteria program may also adopt the Top 25 as one approach for ensuring code purchased by the US government is free of the Top 25 errors.

Second, programmers will have tools that consistently measure the security of the software they are writing.

Software testing tools will use the Top 25 in their evaluations and provide scores for the level of secure coding in software being tested. In parallel with this announcement, on January 12, one of the leading software testing vendors is announcing that its software will be able to test for and report on the presence of a large fraction of the Top 25 Programming Errors. Application development teams will use such testing software during the development process.

Colleges will be able to teach secure coding more confidently.

Colleges and others who prepare programmers will use the Top 25 Programming Errors as a foundation for curriculum that ensures their students know how to avoid the critical programming errors. One of the colleges that participated in developing the Top 25, UC Davis, has already established a secure coding clinic where student-written software is reviewed for the key programming errors that lead to critical security vulnerabilities. The Top 25 enables the clinic to prioritize errors in its review. Other colleges are beginning to emulate the secure coding clinics.

Employers will be able to ensure they have programmers who can write more secure code.

Employers will use the Top 25 Programming Errors list as a guide for evaluating and improving skills of programmers they hire and of outsourced programming talent. More than 100 large employers are already using a common assessment tool called the GSSP (GIAC Secure Software Programmer) to measure secure coding skills. The GSSP exams are being reviewed in an effort to fully incorporate and highlight mastery of programming knowledge needed to find and eliminate or avoid the Top 25 Programming Errors. Organizations with at least 500 programmers may have up to 100 of those programmers' secure coding skills assessed confidentially and at no cost. More data on the GSSP may be found at The SANS Software Security Institute Email spa@sans.org to get that started.

Courses are available that teach secure coding skills to programmers in C/C++, in Java, and in .NET languages. Get more information at The SANS Software Security Institute Courses Page.

How Important Are the Top 25 Programming Errors?

We asked several of the participants why they thought this effort was important enough to merit a significant amount of their time and expertise. Here are a few of their answers. More are at the end of the announcement.

National Security Agency's Information Assurance Directorate
"The publication of a list of programming errors that enable cyber espionage and cyber crime is an important first step in managing the vulnerability of our networks and technology. There needs to be a move away from reacting to thousands of individual vulnerabilities, and to focus instead on a relatively small number of software flaws that allow vulnerabilities to occur, each with a general root cause. Such a list allows the targeting of improvements in software development practices, tools, and requirements to manage these problems earlier in the life cycle, where they can be solved on a large scale and cost-effectively."
-Tony Sager, National Security Agency's Information Assurance Directorate
Depository Trust:
"The CWE-SANS Top 25 Programming Errors is a vital tool for organizations that believe in a risk-based approach to software security enabling them to assess the specific vulnerabilities identified in their environments compared with a composite perspective of risk from industry recognized experts."
- Jim Routh, CISO, The Depository Trust & Clearing Corporation
Microsoft:
"The 2009 CWE/SANS Top 25 Programming Errors project is a great resource to help software developers identify which security vulnerabilities are the most important to understand, prevent and fix."
- Michael Howard, Principal Security Program Manager, Security Development Lifecycle Team, Microsoft Corp.
OWASP Foundation:
"When facing a huge application portfolio that could contain many thousands of instances of over 700 different types of weaknesses, knowing where to start is a daunting task. Done right, stamping out the CWE Top 25 can not only make you significantly more secure but can cut your software development costs."
- Jeff Williams, Aspect Security CEO and The OWASP Foundation Chair
Symantec:
"The 2009 CWE/SANS Top 25 Programming Errors reflects the kinds of issues we've seen in application software and helps provide us with actionable direction to continuously improve the security of our software."
- Wesley H. Higaki, Director, Software Assurance, Office of the CTO, Symantec Corporation
Software Assurance Consortium:
"As an advocate for the consumer, this is viewed as a giant step forward in providing security for all users. It increases awareness of the various levels of secure software by highlighting its effects on our daily use of all software products. The CWE/SANS Top 25 programming error effort adds the capability to our tool box which in turn aids the SwAC in our mission to bring together Industry and Government to transform the security and dependability of all software products."
- Dan Wolf, Director, Software Assurance Consortium.
EMC:
"The Top 25 List puts a powerful tool into the hands of the programmers along with every person involved in designing and developing software. The simple fact that such a list now exists will allow software assurance to be practiced more effectively."
- Dan Reddy, Consulting Product Manager, EMC Product Security Office
Purdue:
"The CWE Top 25 programming errors should be watched because targeting the most troublesome programming mistakes can potentially reduce the occurrence of vulnerabilities and our exposure at a national level, while diminishing our undesirable dependence on patches."
- Pascal Meunier, CERIAS, Purdue University
Secunia:
"This Top 25 is without a doubt one of the most useful compilations of common coding mistakes leading to vulnerabilities in software. The list, which has been created based on feedback from many experts in the security industry, focuses on selection criteria like severity and prevalence, thus covering a broad range of the most critical errors commonly introduced in applications today.

The Top 25 programming errors is compiled in a easy-to-read and entertaining language and does not only provide a good understanding of common coding mistakes, but also how to avoid them. I can therefore highly recommend this read to anyone involved in software design to ensure that they won't make the same mistakes in 2009 as they've made previously."
- Carsten Eiram, Chief Security Specialist, Secunia.
Ken van Wyk:
"This list of programming errors should be enormously useful to the community. It serves to help us all get our collective "arms around" understanding the most common security defects in our code, just as the OWASP Top 10 helps us understand the attacks against those defects."
- Kenneth R. van Wyk, KRvW Associates, LLC
Veracode:
"A prioritized list of security issues is the starting point to make software security practical in the business world of resource constraints and ship dates. The Top 25 list gives developers a minimum set of coding errors that must be eradicated before software is used by customers."
- Chris Wysopal, Co-Founder and CTO of Veracode, Inc.
Core Security Technologies:
"This is the first serious attempt at building a taxonomy of software security weaknesses and flaws with an emphasis on the practical application of identifying, preventing and fixing or mitigating the issues they pose. It is a necessary and long overdue step towards creating a common language for the software development and security communities in need of a more rational way to address what are currently the most urgent and relevant software security problems."
- Ivan Arce, CTO of Core Security Technologies Inc.
Breach Security:
"The CWE/SANS Top 25 List is an excellent tactical resource for organizations to prioritize and remediate the root causes of today's successful attacks. This should be required reading for all developers as it is a "Cliff Notes" version of essential secure coding principles."
- Ryan C. Barnett, Director of Application Security Research, Breach Security
McAfee:
"The 2009 CWE/SANS Top 25 Programming Errors effort is right on target. By educating software developers on the most important issues and showing them how to avoid writing security bugs, this effort will help programmers correct code issues before they become security problems."
- Kent Landfield, Director, Risk and Compliance Security Research, McAfee, Inc.
Ounce Lab:
"Let's use this list as a way to jumpstart the solutions - make 2009 a year to make things happen and solve these problems that have been around way too long. Far too many solutions exist out there to help address these all-too-common programming errors. Start using this list to secure your software today because if the last few years have been any indication, tomorrow is already too late."
- Ryan Berg, Co-Founder and Chief Scientist, Ounce Labs
Grammatech:
"Bugs in software are a plague on our profession and bad for business. They are inevitable, yet understanding of which bugs are most important is often gained the hard and expensive way when they show up in the field. The CWE/SANS Top 25 programming error effort will raise awareness of the huge variety of different kinds of defects that can occur, and will help programmers focus on those that matter most to application quality and security."
- Paul Anderson - Vice President of Engineering, Grammatech Inc.

What Errors Are Included in the Top 25 Programming Errors?

The Top 25 Programming Errors are listed below in three categories:

Clicking "MORE" in any of the listings takes you to the relevant spot in the MITRE CWE site where you will find the following:

  • Links to the full CWE entry data,
  • Data fields for weakness prevalence and consequences,
  • Remediation cost,
  • Ease of detection,
  • Attack frequency and attacker awareness
  • Related CWE entries
  • Related patterns of attack for this weakness.

Each entry at the Top 25 Programming Errors site also includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness.


Programming Error Category: Insecure Interaction Between Components

CWE-20: Improper Input Validation

It's the number one killer of healthy software, so you're just asking for trouble if you don't ensure that your input conforms to expectations...MORE >>

CWE-116: Improper Encoding or Escaping of Output

Computers have a strange habit of doing what you say, not what you mean. Insufficient output encoding is the often-ignored sibling to poor input validation, but it is at the root of most injection-based attacks, which are all the rage these days...MORE >>

CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')

If attackers can influence the SQL that you use to communicate with your database, then they can...MORE >>

CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')

Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications...If you're not careful, attackers can...MORE >>

CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')

When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers...MORE >>

CWE-319: Cleartext Transmission of Sensitive Information

If your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many...MORE >>

CWE-352: Cross-Site Request Forgery (CSRF)

With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim...MORE >>

CWE-362: Race Condition

Attackers will consciously look to exploit race conditions to cause chaos or get your application to cough up something valuable...MORE >>

CWE-209: Error Message Information Leak

If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data...MORE >>

Programming Error Category: Risky Resource Management

CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer

Buffer overflows are Mother Nature's little reminder of that law of physics that says if you try to put more stuff into a container than it can hold, you're...MORE >>

CWE-642: External Control of Critical State Data

There are many ways to store user state data without the overhead of a database. Unfortunately, if you store that data in a place where an attacker can...MORE >>

CWE-73: External Control of File Name or Path

When you use an outsider's input while constructing a filename, you're taking a chance. If you're not careful, an attacker could... MORE >>

CWE-426: Untrusted Search Path

If a resource search path is under attacker control, then the attacker can modify it to point to resources of the attacker's choosing. This causes the software to access the wrong resources at the wrong time...MORE >>

CWE-94: Failure to Control Generation of Code (aka 'Code Injection')

For ease of development, sometimes you can't beat using a couple lines of code to employ lots of functionality. It's even cooler when...MORE >>

CWE-494: Download of Code Without Integrity Check

You don't need to be a guru to realize that if you download code and execute it, you're trusting that the source of that code isn't malicious. But attackers can perform all sorts of tricks...MORE >>

CWE-404: Improper Resource Shutdown or Release

When your precious system resources have reached their end-of-life, you need to...MORE >>

CWE-665: Improper Initialization

Just as you should start your day with a healthy breakfast, proper initialization helps to ensure...MORE >>

CWE-682: Incorrect Calculation

When attackers have some control over the inputs that are used in numeric calculations, this weakness can lead to vulnerabilities. It could cause you to make incorrect security decisions. It might cause you to...MORE >>

Programming Error Category: Porous Defenses

CWE-285: Improper Access Control (Authorization)

If you don't ensure that your software's users are only doing what they're allowed to, then attackers will try to exploit your improper authorization and...MORE >>

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

You may be tempted to develop your own encryption scheme in the hopes of making it difficult for attackers to crack. This kind of grow-your-own cryptography is a welcome sight to attackers...MORE >>

CWE-259: Hard-Coded Password

Hard-coding a secret account and password into your software's authentication module is...MORE >>

CWE-732: Insecure Permission Assignment for Critical Resource

If you have critical programs, data stores, or configuration files with permissions that make your resources accessible to the world - well, that's just what they'll become...MORE >>

CWE-330: Use of Insufficiently Random Values

If you use security features that require good randomness, but you don't provide it, then you'll have attackers laughing all the way to the bank...MORE >>

CWE-250: Execution with Unnecessary Privileges

Spider Man, the well-known comic superhero, lives by the motto "With great power comes great responsibility." Your software may need special privileges to perform certain operations, but wielding those privileges longer than necessary can be extremely risky...MORE >>

CWE-602: Client-Side Enforcement of Server-Side Security

Remember that underneath that fancy GUI, it's just code. Attackers can reverse engineer your client and write their own custom clients that leave out certain inconvenient features like all those pesky security controls...MORE >>

Resources to Help Eliminate The Top 25 Programming Errors

  1. The TOP 25 Errors List will be updated regularly and will be posted at both the SANS and MITRE sites
    SANS Top 25 Programming Errors Site
    CWE Top 25 Programming Errors Site

    MITRE maintains the CWE (Common Weakness Enumeration) web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. That site also contains data on more than 700 additional programming errors, design errors and architecture errors that can lead to exploitable vulnerabilities. CWE Web Site

    SANS maintains a series of assessments of secure coding skills in three languages along with certification exams that allow programmers to determine gaps in their knowledge of secure coding and allows buyers to ensure outsourced programmers have sufficient programming skills. Organizations with more than 500 programmers can assess the secure coding skills of up to 100 programmers at no cost.

    Email spa@sans.org for details. And see The SANS Software Security Institute Certification Page for the GSSP Blueprints.

  2. SAFECode - The Software Assurance Forum for Excellence in Code (members include EMC, Juniper, Microsoft, Nokia, SAP and Symantec) has produced two excellent publications outlining industry best practices for software assurance and providing practical advice for implementing proven methods for secure software development.
    SAFECode Best Practices PDF
    SAFECode Development Practices PDF

  3. Nearly a dozen software companies offer automated tools that test programs for these errors. SANS maintains case studies of user experience with these and other security tools at:
    SANS What Works in Internet Security.

  4. New York State has produced draft procurement standards to allow companies to buy software with security baked in.

    If you wish to join the working group to help improve the procurement guidelines you can go to the New York State Cyber Security and Critical Infrastructure Coordination web site.

    Draft New York State procurement language will be posted at SANS Application Security Contract.

  5. For additional information on any of these:
    SANS: Mason Brown, mbrown@sans.org
    MITRE: Bob Martin, ramartin@mitre.org
    MITRE: Steve Christey, coley@mitre.org

What Errors Are Included in the Top 25 Software Errors?

Version 2.0 Updated February 16, 2010

The Top 25 Software Errors are listed below in three categories:

Click on the headline in any of the listings (or the MORE link) and you will be directed to the relevant spot in the MITRE CWE site where you will find the following:

  • Ranking of each Top 25 entry,
  • Links to the full CWE entry data,
  • Data fields for weakness prevalence and consequences,
  • Remediation cost,
  • Ease of detection,
  • Code examples,
  • Detection Methods,
  • Attack frequency and attacker awareness
  • Related CWE entries, and
  • Related patterns of attack for this weakness.

Each entry at the Top 25 Software Errors site also includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness.

View Press Release concerning the 2010 Updates

Archive

Software Error Category: Insecure Interaction Between Components

[1] CWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting')

Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications...If you're not careful, attackers can...MORE >>

[2] CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')

If attackers can influence the SQL that you use to communicate with your database, then they can...MORE >>

[4] CWE-352: Cross-Site Request Forgery (CSRF)

With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim...MORE >>

[8] CWE-434: Unrestricted Upload of File with Dangerous Type

You may think you're allowing uploads of innocent images...MORE >>

[9] CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')

When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers...MORE >>

[17] CWE-209: Information Exposure Through an Error Message

If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data...MORE >>

[23] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

While much of the power of the World Wide Web is in sharing and following links between web sites, typically there is...MORE >>

[25] CWE-362: Race Condition

Attackers will consciously look to exploit race conditions to cause chaos or get your application to cough up something valuable...MORE >>


Software Error Category: Risky Resource Management

[3] CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Buffer overflows are Mother Nature's little reminder of that law of physics that says if you try to put more stuff into a container than it can hold, you're...MORE >>

[7] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

While data is often exchanged using files, sometimes you don't intend to...MORE >>

[14] CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

Not a lot of Top 25 weaknesses are unique to a single programming language, but that just goes to show how special this one is. The idea...MORE >>

[12] CWE-805: Buffer Access with Incorrect Length Value

A popular insult is: "Take a long walk off a short pier." One programming equivalent for this... MORE >>

[13] CWE-754: Improper Check for Unusual or Exceptional Conditions

Security-wise, it pays to be cynical. If you always expect the worst...MORE >>

[15] CWE-129: Improper Validation of Array Index

If you've allocated an array of 100 objects or structures, and an attacker provides an index that is...MORE >>

[16] CWE-190: Integer Overflow or Wraparound

In the real world, 255+1=256. But to a computer program, sometimes 255+1=...MORE >>

[18] CWE-131: Incorrect Calculation of Buffer Size

In languages such as C, where memory management is the programmer's responsibility, there are many opportunities for error...MORE >>

[20] CWE-494: Download of Code Without Integrity Check

You don't need to be a guru to realize that if you download code and execute it, you're trusting that the source of that code isn't malicious. But attackers can perform all sorts of tricks...MORE >>

[21] CWE-770: Allocation of Resources Without Limits or Throttling

If someone calls in and places an order for a thousand pizzas (with anchovies) to be delivered immediately, you'd quickly put a stop to that nonsense. But...MORE >>


Software Error Category: Porous Defenses

[5] CWE-285: Improper Access Control (Authorization)

If you don't ensure that your software's users are only doing what they're allowed to, then attackers will try to exploit your improper authorization and...MORE >>

[6] CWE-807: Reliance on Untrusted Inputs in a Security Decision

Driver's licenses may require close scrutiny to identify fake licenses, or to determine if a person is using someone else's license. Software developers...MORE >>

[10] CWE-311: Missing Encryption of Sensitive Data

If your software sends sensitive information across a network, such as private data or authentication credentials, that information...MORE >>

[11] CWE-798: Use of Hard-coded Credentials

Most of the CWE Top 25 can be explained away as an honest mistake; for this issue, though, customers...MORE >>

[19] CWE-306: Missing Authentication for Critical Function

In countless action movies, the villain breaks into a high-security building by crawling through heating ducts...MORE >>

[22] CWE-732: Incorrect Permission Assignment for Critical Resource

If you have critical programs, data stores, or configuration files with permissions that make your resources accessible to the world - well, that's just what they'll become...MORE >>

[24] CWE-327: Use of a Broken or Risky Cryptographic Algorithm

You may be tempted to develop your own encryption scheme in the hopes of making it difficult for attackers to crack. This kind of grow-your-own cryptography is a welcome sight to attackers...MORE >>


Resources to Help Eliminate The Top 25 Software Errors

  1. The TOP 25 Errors List will be updated regularly and will be posted at both the SANS and MITRE sites
    SANS Top 25 Software Errors Site
    CWE Top 25 Software Errors Site

    MITRE maintains the CWE (Common Weakness Enumeration) web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 Software errors along with authoritative guidance for mitigating and avoiding them. That site also contains data on more than 700 additional Software errors, design errors and architecture errors that can lead to exploitable vulnerabilities. CWE Web Site

    SANS maintains a series of assessments of secure coding skills in three languages along with certification exams that allow programmers to determine gaps in their knowledge of secure coding and allows buyers to ensure outsourced programmers have sufficient programming skills. Organizations with more than 500 programmers can assess the secure coding skills of up to 100 programmers at no cost.

    Email spa@sans.org for details. And see The SANS Software Security Institute Certification Page for the GSSP Blueprints.

  2. SAFECode - The Software Assurance Forum for Excellence in Code (members include EMC, Juniper, Microsoft, Nokia, SAP and Symantec) has produced two excellent publications outlining industry best practices for software assurance and providing practical advice for implementing proven methods for secure software development.
    SAFECode Best Practices PDF
    SAFECode Development Practices PDF

  3. Software Assurance Community Resources Site and DHS web sites

    As part of DHS risk mitigation efforts to enable greater resilience of cyber assets, the Software Assurance Program seeks to reduce software vulnerabilities, minimize exploitation, and address ways to routinely acquire, develop and deploy reliable and trustworthy software products with predictable execution, and to improve diagnostic capabilities to analyze systems for exploitable weaknesses.

  4. Nearly a dozen software companies offer automated tools that test programs for these errors. SANS maintains case studies of user experience with these and other security tools at:
    SANS What Works in Internet Security.

  5. New York State has produced draft procurement standards to allow companies to buy software with security baked in.

    If you wish to join the working group to help improve the procurement guidelines you can go to the New York State Cyber Security and Critical Infrastructure Coordination web site.

    Draft New York State procurement language will be posted at SANS Application Security Contract.

  6. For additional information on any of these:
    SANS: Mason Brown, mbrown@sans.org
    MITRE: Bob Martin, ramartin@mitre.org
    MITRE: Steve Christey, coley@mitre.org

List of Contributors to the Top 25 Software Errors

  • Robert Auger, Web Application Security Consortium (WASC)
  • Michael Howard and Bryan Sullivan, Microsoft
  • Mark J. Cox, Red Hat Inc.
  • Carsten Eiram, Secunia (Denmark)
  • Chuck Willis, MANDIANT
  • James Walden, Northern Kentucky University
  • Pascal Meunier, CERIAS, Purdue University
  • Romain Gaucher, Cigital, Inc.
  • Mahesh Saptarshi and Cassio Goldschmidt, Symantec Corporation
  • Chris Eng and Chris Wysopal, Veracode, Inc.
  • Ming-Wei (Benson) Wu, Armorize
  • Paul Anderson, Grammatech Inc.
  • Masato Terada, Information-Technology Promotion Agency (IPA) (Japan)
  • Barry Greene, Juniper
  • Kent Landfield, McAfee
  • Hart Rossman, SAIC
  • Jeremiah Grossman, White Hat Security
  • Jeremy Epstein, SRI International
  • Adam Hahn, Drew Buttner, Larry Shields, and Sean Barnum, MITRE
  • Jeff Williams, Aspect Security and the Open Web Application Security Project (OWASP)
  • Kenneth van Wyk, KRvW Associates
  • Bruce Lowenthal, Oracle Corporation
  • Jacob West, Fortify Software
  • Frank Kim, ThinkSec
  • Ryan Barnett, Breach Security
  • Elizabeth Nichols, PlexLogic, LLC
  • Antonio Fontes, New Access SA, (Switzerland)
  • Cristina Cifuentes and John Totah, Sun
  • Ketan Vyas, Tata Consultancy Services (TCS)
  • Paul Wilson, Lindsey Cheng, Jeehye Yun, Tom Burgess, and Jim Kukla, Secured Sciences Group, LLC
  • Matthew Coles, Danny Dhillon, Hardik Parekh, and Nazira Omuralieva, RSA - Security Division of EMC
  • Apple Product Security
  • National Security Agency (NSA) Information Assurance Division
  • Department of Homeland Security (DHS) National Cyber Security Division

How Important Are the Top 25 Software Errors?

We asked several of the participants why they thought this effort was important enough to merit a significant amount of their time and expertise. Here are a few of their answers. More are at the end of the announcement.

"Just wanted to commend the depth of the CWE/SANS Top 25. The code examples are particularly excellent. I have asked all my developers to read one of these each day for the next 25 days. I'm taking my own advice as well, and even though I'm still reading some of the "easy" ones (like SQL injection), I still find that I am learning new things about old topics."

-- Mark E. Haase, OpenFISMA Project Manager, Endeavor Systems, Inc.

"Your document (2009 CWE/SANS Top 25 Most Dangerous Software Errors) is very useful. I would like to publish it on our intranet, for illustrating threats and vulnerabilities about coding."

-- colonel Jean-Michel HOUBRE, from the french MOD.

"We included the top25 reference in a request for bid last year. Project began in December and expect the project to be complete in October 2010. We are hopeful to have a much more secure and better application due to the reference and utilization of the SANS/MITRE Top 25."

-- Richard Lemons, WV Department of Health and Human Resources

"In the collaborated environment and ever increasing business requirements to integrate solutions, insecure applications are an easy target. The business today understands how much damage can be cause to business, revenue and customer confidence due to these issues. To ensure that our deliveries meet / surpass customer expectations on security, the CWE/SANS Top 25 Most Dangerous Software Errors is extensively leveraged in our software security assurance process."

-- Ketan Vyas, Head Application Security Initiative, Tata Consultancy Services

"I've read "2009 CWE/SANS Top 25 Most Dangerous Software Errors" article and found it very useful. I would like to translate it into Russian for our software testing community. Of course, link to original article will be stored."

-- Alexander Kozyrev

"The Top 25 provides much needed guidance for software developers focusing on eliminating software security defects in their products. If you're involved with software development at your organization and are looking to improve your product security posture, you need to read this."

-- Robert Auger, Co Founder of The Web Application Security Consortium

"The CWE/SANS Top 25 list provides a great starting point for developers who want to write more secure code. The majority of the flaw types of the most severe vulnerabilities that Red Hat fixed in 2009 are discussed in this document."

-- Mark J. Cox, Director, Security Response, Red Hat.

"The 2010 CWE/SANS Top 25 Software Errors provides valuable guidance to organizations engaged in the development or deployment of software. This list helps organizations focus on the most dangerous threats so that they can get the most out of their vulnerability reduction effort. The list can also be used as a framework to define short term and longer term programs for the elimination or mitigation of security vulnerabilities. Furthermore, it provides easy to comprehend description of the classes of vulnerabilities and high-level recommendations for mitigating or avoiding them altogether. This list is definitely a must-read for anyone who wishes to develop reasonably secure code."

-- Bruce Lowenthal, Director Security Alert, Oracle Corp.

"It's great to see the CWE/SANS Top 25 list continue to be maintained and mature. Relentlessly spreading the word about the most common security defects in programming is a vital need. The state of security in our software would without a doubt be much improved if everyone who touches software development reads and thoroughly understands this. Kudos."

-- Kenneth R. van Wyk, KRvW Associates, LLC


New Top 25 Software Errors Opens Door to Shift Liability for Faulty Code from Buyers to Developers

Questions: top25@sans.org

(Feb. 16, 2010) Today in Washington, D.C., experts from more than 30 U.S. and international cyber security organizations jointly released a new list of the 25 most dangerous Software errors that enable security bugs, cyber espionage and cyber crime. These 25 Software errors, and their "on the cusp cousins" have been the cause of nearly every major type of cyber attack, including recent penetrations of Google, power systems, military systems, and millions of other attacks on small businesses and home users. A global effort to eliminate these programming errors is the first step against organized cyber criminals, and the persistent threat from competing nation states.

In addition to the most common programming errors, acquisition experts agreed on a standard for contract language between software buyers and developers. The use of this contract language helps ensure buyers are not held liable for software containing faulty code. Coding errors are a common gateway for attackers to penetrate networks.

"The Top 25 provides much needed guidance for software developers focusing on eliminating software security defects in their products", said Robert Auger, co-founder of the Web Application Security Consortium. "If you're involved with software development at your organization and are looking to improve your product security posture, you need to read this."

This year's Top 25 is a substantial improvement to the 2009 list, but the spirit and goals are the same. The list prioritizes its entries using inputs from 28 different organizations who have evaluated each weakness based on prevalence and importance. The new version introduces focused profiles that allow developers and other users to select the parts of the Top 25 that are most relevant to their concerns. The new list also provides a small set of the most effective mitigations, helping developers reduce or eliminate entire groups of weaknesses.

Until now, most guidance focused on the 'vulnerabilities' that result from programming errors. This is helpful. But the Top 25 focuses on the actual programming and design errors, made by developers that create the vulnerabilities. As important, the Top 25 Software errors Web site provides detailed and authoritative information on mitigation.

People and organizations that provided substantive input to the project are listed below. They are among the most respected security experts and they come from leading organizations ranging from NSA's Information Assurance Division to DHS's National Cyber Security Division, from OWASP, WASC, and the Japanese IPA, to Secunia and Purdue University, from Microsoft, Apple, and Red Hat to Juniper, EMC, Symantec, McAfee, and Oracle, and from a wide variety of software security assessment vendors, consultants, and service providers.

MITRE and the SANS Institute managed the Top 25 Software Errors initiative, but the impetus for this project came from the National Security Agency and financial support for MITRE's project engineers came from the U.S. Department of Homeland Security's National Cyber Security Division. The Information Assurance Division at NSA and National Cyber Security Division at DHS have consistently been the government leaders in working to improve the security of software purchased by the government and by the critical national infrastructure.

"There appears to be broad agreement on the programming errors," said SANS Director, Mason Brown. "Now it is time for buyers to say we are mad as h*ll, and we are not going to buy software unless you get rid of these errors before you deliver it to us."

Top 25 Endorsements:

"The CWE/SANS Top 25 Software Errors list provides critical inputs every software organization needs to incorporate into their quality and security processes. CISQ will be working to incorporate defined patterns for recognizing these weaknesses into its standardization for security measurement."

Dr. Bill Curtis - Director of Consortium for IT Software Quality (CISQ)

"Once again the Top 25 has turned out to be one of the most useful compilations of common coding mistakes leading to vulnerabilities in software. The updated list, which has been created based on feedback from many experts in the software security industry, focuses on selection criteria like importance and prevalence, thus covering a broad range of the most critical errors commonly introduced in applications today. The Top 25 is compiled in an easy-to-read and entertaining language and does not only provide a good understanding of common coding mistakes, but also how to avoid them. I can therefore highly recommend this read to anyone involved in software design to ensure that they won't make the same mistakes in 2010 as they've made previously."

-- Carsten Eiram, Chief Security Specialist, Secunia

"The CWE/SANS Top 25 is an effective tool to help organizations manage risks from today's most critical vulnerabilities. The Microsoft Security Development Lifecycle (SDL) improves security discipline and introduces processes that help prevent most of the CWE/SANS Top 25, and is an important tool to any organization looking to minimize risk of vulnerabilities."

-- Michael Howard, Principal Security Program Manager, Security Development Lifecycle Team, Microsoft Corporation.

"The updated version of the CWE/SANS Top 25 continues to be a useful source of information for code developers and consumers. It's ranking of code weaknesses by severity and importance helps focus the discussion between developers and their customers on those issues that matter the most. Reducing the most common software problems is of interest to both the purchaser and the producer and the new mitigation strategies are a great tool to guide expectations and foster the best techniques to reduce code weaknesses and to produce more robust software. Putting this document into everyday practice will improve the overall security of the software we all utilize in our day-to-day efforts."

-- Dan Wolf, Director, Software Assurance Consortium

"The 2010 CWE/SANS Top 25 list provides a highly valuable and useful reference that can be used to prioritize items during the Common Criteria evaluation process. For relevant products each element can be reviewed when assessing the mitigations that vendors have incorporated into their designs/development process. The Common Criteria Development Board is examining, through the working groups developing the next version of the Common Criteria, the practical steps involved in such use and appreciates the work that has been performed in producing the overall CWE list, the underlying taxonomies, and related efforts."

-- David Martin, Chair Common Criteria Development Board