Last day to save $500 for SANS San Diego 2013

Press Release CWE/SANS TOP 25 Most Dangerous Software Errors

New Top 25 Software Errors Opens Door to Shift Liability for Faulty Code from Buyers to Developers

Questions: top25@sans.org

(Feb. 16, 2010) Today in Washington, D.C., experts from more than 30 U.S. and international cyber security organizations jointly released a new list of the 25 most dangerous Software errors that enable security bugs, cyber espionage and cyber crime. These 25 Software errors, and their "on the cusp cousins" have been the cause of nearly every major type of cyber attack, including recent penetrations of Google, power systems, military systems, and millions of other attacks on small businesses and home users. A global effort to eliminate these programming errors is the first step against organized cyber criminals, and the persistent threat from competing nation states.

In addition to the most common programming errors, acquisition experts agreed on a standard for contract language between software buyers and developers. The use of this contract language helps ensure buyers are not held liable for software containing faulty code. Coding errors are a common gateway for attackers to penetrate networks.

"The Top 25 provides much needed guidance for software developers focusing on eliminating software security defects in their products", said Robert Auger, co-founder of the Web Application Security Consortium. "If you're involved with software development at your organization and are looking to improve your product security posture, you need to read this."

This year's Top 25 is a substantial improvement to the 2009 list, but the spirit and goals are the same. The list prioritizes its entries using inputs from 28 different organizations who have evaluated each weakness based on prevalence and importance. The new version introduces focused profiles that allow developers and other users to select the parts of the Top 25 that are most relevant to their concerns. The new list also provides a small set of the most effective mitigations, helping developers reduce or eliminate entire groups of weaknesses.

Until now, most guidance focused on the 'vulnerabilities' that result from programming errors. This is helpful. But the Top 25 focuses on the actual programming and design errors, made by developers that create the vulnerabilities. As important, the Top 25 Software errors Web site provides detailed and authoritative information on mitigation.

People and organizations that provided substantive input to the project are listed below. They are among the most respected security experts and they come from leading organizations ranging from NSA's Information Assurance Division to DHS's National Cyber Security Division, from OWASP, WASC, and the Japanese IPA, to Secunia and Purdue University, from Microsoft, Apple, and Red Hat to Juniper, EMC, Symantec, McAfee, and Oracle, and from a wide variety of software security assessment vendors, consultants, and service providers.

MITRE and the SANS Institute managed the Top 25 Software Errors initiative, but the impetus for this project came from the National Security Agency and financial support for MITRE's project engineers came from the U.S. Department of Homeland Security's National Cyber Security Division. The Information Assurance Division at NSA and National Cyber Security Division at DHS have consistently been the government leaders in working to improve the security of software purchased by the government and by the critical national infrastructure.

"There appears to be broad agreement on the programming errors," said SANS Director, Mason Brown. "Now it is time for buyers to say we are mad as h*ll, and we are not going to buy software unless you get rid of these errors before you deliver it to us."

Top 25 Endorsements:

"The CWE/SANS Top 25 Software Errors list provides critical inputs every software organization needs to incorporate into their quality and security processes. CISQ will be working to incorporate defined patterns for recognizing these weaknesses into its standardization for security measurement."

Dr. Bill Curtis - Director of Consortium for IT Software Quality (CISQ)

"Once again the Top 25 has turned out to be one of the most useful compilations of common coding mistakes leading to vulnerabilities in software. The updated list, which has been created based on feedback from many experts in the software security industry, focuses on selection criteria like importance and prevalence, thus covering a broad range of the most critical errors commonly introduced in applications today. The Top 25 is compiled in an easy-to-read and entertaining language and does not only provide a good understanding of common coding mistakes, but also how to avoid them. I can therefore highly recommend this read to anyone involved in software design to ensure that they won't make the same mistakes in 2010 as they've made previously."

-- Carsten Eiram, Chief Security Specialist, Secunia

"The CWE/SANS Top 25 is an effective tool to help organizations manage risks from today's most critical vulnerabilities. The Microsoft Security Development Lifecycle (SDL) improves security discipline and introduces processes that help prevent most of the CWE/SANS Top 25, and is an important tool to any organization looking to minimize risk of vulnerabilities."

-- Michael Howard, Principal Security Program Manager, Security Development Lifecycle Team, Microsoft Corporation.

"The updated version of the CWE/SANS Top 25 continues to be a useful source of information for code developers and consumers. It's ranking of code weaknesses by severity and importance helps focus the discussion between developers and their customers on those issues that matter the most. Reducing the most common software problems is of interest to both the purchaser and the producer and the new mitigation strategies are a great tool to guide expectations and foster the best techniques to reduce code weaknesses and to produce more robust software. Putting this document into everyday practice will improve the overall security of the software we all utilize in our day-to-day efforts."

-- Dan Wolf, Director, Software Assurance Consortium

"The 2010 CWE/SANS Top 25 list provides a highly valuable and useful reference that can be used to prioritize items during the Common Criteria evaluation process. For relevant products each element can be reviewed when assessing the mitigations that vendors have incorporated into their designs/development process. The Common Criteria Development Board is examining, through the working groups developing the next version of the Common Criteria, the practical steps involved in such use and appreciates the work that has been performed in producing the overall CWE list, the underlying taxonomies, and related efforts."

-- David Martin, Chair Common Criteria Development Board


SANS Software Security Institute (SSI) Courses
SANS CDI 2013 - DC
SANS Software Security Institute (SSI) Courses

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd