I’ve interrupted my planned schedule of upcoming articles to bring you something I think should be brought to the attention of any programmers in my audience sooner, rather than later.

The SANS Institute has explanations of the 25 most dangerous programming errors, according to security experts from all over the world working for a number of different computer security organizations. As pointed out early in the article:

The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 – and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies.

The 25 errors, organized by type, are:

Insecure Interaction Between Components

  • Improper Input Validation
  • Improper Encoding or Escaping of Output
  • Failure to Preserve SQL Query Structure
  • Failure to Preserve Web Page Structure
  • Failure to Preserve OS Command Structure
  • Cleartext Transmission of Sensitive Information
  • Cross-Site Request Forgery
  • Race Condition
  • Error Message Information Leak

Risky Resource Management

  • Failure to Constrain Operations within the Bounds of a Memory Buffer
  • External Control of Critical State Data
  • External Control of File Name or Path
  • Untrusted Search Path
  • Failure to Control Generation of Code
  • Download of Code Without Integrity Check
  • Improper Resource Shutdown or Release
  • Improper Initialization
  • Incorrect Calculation

Porous Defenses

  • Improper Access Control
  • Use of a Broken or Risky Cryptographic Algorithm
  • Hard-Coded Password
  • Insecure Permission Assignment for Critical Resource
  • Use of Insufficiently Random Values
  • Execution with Unnecessary Privileges
  • Client-Side Enforcement of Server-Side Security

More information about the list as a whole, and about each of the individual vulnerabilities, can be found at the CWE/SANS Top 25 Most Dangerous Programming Errors page. This is, in short, a syllabus for one of several secure programming courses that should be taught to everybody looking to pursue a career as a programmer. If you’re a software developer, you should start learning about these vulnerability types, and how to avoid them, without delay.

Special thanks to Sterling Camden, of TechRepublic’s own IT Consulting Weblog, for inspiring me to write this article.