Safe Developing – TOP 25 Programming Mistakes

Trojan Horse

Together with a few work colleagues (and also friends) I took on a X% project and I’m programming again. I have to say, I was not actively doing it for over a year but it feels good coming back to my roots for a while. I’m excited with the idea and I might come back to it after its launch. 

The first introductory paragraph is to say that I was suggested by a friend to take look at the TOP 25 Most Dangerous Programming Errors by the SANS  institute. The document is very interesting although part of what it’s written exceeds my knowledge (by far),. I highly recommend every developer to take a look at it and specially if you work on security components. It is a good document to have  at hand and, if you want to learn more, the site has information on all the items in the list.

The TOP 25 Errors List will be updated regularly and will be posted at both the SANS and MITRE sites.

Here is the full list for your convenience:

CATEGORY: Insecure Interaction Between Components

CWE-20: Improper Input Validation

CWE-116: Improper Encoding or Escaping of Output

CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)

CWE-79: Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)

CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)

CWE-319: Cleartext Transmission of Sensitive Information

CWE-352: Cross-Site Request Forgery (CSRF)

CWE-362: Race Condition

CWE-209: Error Message Information Leak


CATEGORY: Risky Resource Management

CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer

CWE-642: External Control of Critical State Data

CWE-73: External Control of File Name or Path

CWE-426: Untrusted Search Path

CWE-94: Failure to Control Generation of Code (aka ‘Code Injection’)

CWE-494: Download of Code Without Integrity Check

CWE-404: Improper Resource Shutdown or Release

CWE-665: Improper Initialization

CWE-682: Incorrect Calculation


CATEGORY: Porous Defenses

CWE-285: Improper Access Control (Authorization)

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

CWE-259: Hard-Coded Password

CWE-732: Insecure Permission Assignment for Critical Resource

CWE-330: Use of Insufficiently Random Values

CWE-250: Execution with Unnecessary Privileges

CWE-602: Client-Side Enforcement of Server-Side Security

2 thoughts on “Safe Developing – TOP 25 Programming Mistakes

  1. Pingback: ITS Programmers Forum

  2. Pingback: Cross Site Scripting » Blog Archive » JoãO Rufino’S Blog » Safe Developing - Top 25 Programming Mistakes

Leave a Reply