Top 25 'most dangerous' coding errors revealed

Security organizations, companies, and academics have banded together to produce a list of what they consider to be the most critical coding errors.

Security experts from U.S. government agencies, multinational companies, and academia have released a list of what they consider to be the 25 most critical errors made while coding software.

Participants from more than 30 organizations worked together to agree on the 25 "most dangerous" errors, the SANS Institute said in a statement on Monday. They included experts from the U.S. National Security Agency, the U.S. Computer Emergency Response Team (US-Cert), Mitre, and the Sans Institute, as well as from Microsoft, Apple, and Oracle.

The list was released so programmers can check their code for the most common errors that produce security vulnerabilities.

"(The list) is going to change the way organizations buy software, right away," Alan Paller, director of the Sans Institute, told ZDNet UK.

The top two coding errors were improper input validation and improper encoding or escaping of output, according to Steven Christey of Mitre, who said those particular errors "earned the top rating for good reason."

"In 2008, hundreds of thousands of innocent, and generally trusted, Web pages were modified to serve malware by automated programs that burrowed into databases using SQL injection," Christey said in a statement. "The attack worked because countless programmers made the exact same (input validation and improper output encoding) mistakes in their software."

The full list of coding errors, and information on how to fix them, is available from the Sans Institute Web site.

Tom Espiner of ZDNet UK reported from London.

 

Join the discussion

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

HOT ON CNET

Is your phone battery always at 4 percent?

These battery packs will give your device the extra juice to power through all of those texts and phone calls.