Groups list most dangerous software programming errors

The SANS Institute and Mitre today released a list of the 25 most dangerous programming errors that enable cybercrime and cyber espionage. The errors are broken down into three categories: insecure interaction between components in systems, risky resource management and porous defenses.

Five of the dangerous programming errors are improper input validation, failure to preserve Web page structure, improper access controls for authorizing who can do what with the software, using a broken or risky cryptographic algorithm and using untrusted search paths.

The list was compiled by more than 40 experts from 35 different academic, government and private-sector organizations. SANS and Mitre managed the compilation effort, the National Security Agency served as the impetus for the project, and the Homeland Security Department provided financial support, according to a news release.

The list is important because it focuses on the actual programming errors made by software developers that create vulnerabilities rather than on the effects of the errors, officials said.

SANS and Mitre said having the list of identified errors would allow software buyers to purchase safer software and give programmers tools to consistently measure the security of the software they are writing.

"The publication of a list of programming errors that enable cyber espionage and cybercrime represents an important turn in software security awareness from a system administrator-centered view ... to a software engineering-centered view,” said Konrad Vesey from the National Security Agency's Information Assurance Directorate.

“This is very different from what we’ve all been doing in cybersecurity,” said Alan Paller, director of research at SANS. “This isn’t about vulnerabilities; this is about the errors that cause the vulnerabilities.”

Senior government officials have often discussed supply chain security as an important element of cybersecurity generally and an aim of the government’s Comprehensive National Cybersecurity Initiative specifically.

“What’s exciting for us is that it’s not just reactive which we tend to be in society on all things cyber … but this one actually is going for prevention and I think that’s what’s going to make a difference with this one,” said Margie Gilbert, a career intelligence officer who currently works with the cyber coordination executive in the Office of the Director of National Intelligence.

About the Author

Ben Bain is a reporter for Federal Computer Week.


  • Acquisition
    Shutterstock ID 169474442 By Maxx-Studio

    The growing importance of GWACs

    One of the government's most popular methods for buying emerging technologies and critical IT services faces significant challenges in an ever-changing marketplace

  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

Stay Connected