SANS Names Top 25 Programming Errors

When it comes to programming errors, some are more common than others. A new report from the SANS Institute identifies the top 25 programming errors that have led to nearly every type of IT security threat over the last year. The report draws on the input of 28 different groups including those in government and the private sector and leverages the CWE (Common Weakness Enumeration) numbering system to label vulnerabilities.

The report follows one done by SANS on the same topic for 2009, and provides similar findings this time around. But while the SANS lists attempt to identify the top programming errors, there is some disagreement when it comes to the top programming errors that Linux developers face.

“The takeaway from this list isn’t so much that there is anything here that is particularly new or surprising at all,” Alex Horan, director of product management at Core Security, said in a e-mail to “In fact, what it reinforces is that most organizations, and software/Web app developers, continue to struggle with the same types of security issues that they’ve been dealing with for years.”

The 2010 SANS list is structured differently than the 2009 list which provided the top 25 in a list broken down by three categories. For 2010, SANS has also provided a general ranking of the top 25 with Cross Site Scripting (XSS) Coming in at number two is SQL Injection , which is a flaw that led to large scale exploitation in 2009. In December of 2009, one such SQL Injection attack compromised over 125,000 sites. Just a few weeks ago a report blamed SQL Injection for 60 percent of all data breaches in the UK.

But even though SQL Injection has been in the news lately, it’s not a new problem. Four years ago, researchers were raising the red flag alerting developers to the dangers of SQL Injection and yet the issues still persist.

The other items on the SANS list are also not new starting with “buffer overflow” in the number three spot.

“The simplest type of error, and the most common cause of buffer overflows, is the “classic” case in which the program copies the buffer without checking its length at all,” the SANS report states. “Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections.”

Cross Site Request Forgery (CSRF) takes the fourth spot. CSRF was particularly prominent in 2009 thank to multiple CSRF attacks on Facebook.

Rounding out the top five is what SANS refers to as, ‘Improper Access Control’.

“When access control checks are not applied consistently – or not at all – users are able to access data or perform actions that they should not be allowed to perform,” the SANS report stated. “This can lead to a wide range of problems, including information leaks, denial of service, and arbitrary code execution.”

A missing Linux flaw?

For Linux developers, the SANS list is missing one key programming flaw that adversely affected Linux during 2009. Red Hat developer Alan Cox did an analysis of the top flaws fixed by Red Hat in 2009. At the top of Red Hat’s list was NULL Pointer Dereference, which did not make the SANS top 25 list.

NULL Pointer Dereference was also identified in 2008 by code scanning firm Coverity as the most common type of programming error seen in open source code. A NULL Pointer Dereference occurs when a code path initializes a pointer before its use, but another code path bypasses the initialization process.

The Linux kernel itself was at risk from a highly critical NULL Pointer Dereference flaw reported in 2009, that actually had been present in the code since 2001.

“2009 was the year of the kernel NULL pointer dereference flaw, as they could allow local untrusted users to gain privileges, and several public exploits to do just that were released,” Cox wrote in a blog post. “Now, in 2010, the upstream Linux kernel and many vendors ship with protections to prevent kernel NULL pointers leading to privilege escalation.”

Red Hat isn’t the only group that sees vulnerabilities a little differently. H.D. Moore, Rapid7 CSO and Metasploit Chief Architect is cautious about the new SANS list.

“Previous top-20 efforts have not always echoed what I see in the real world, since the measurement of “top” generally depends on who you are and what field you are in,” Moore told “Many security metrics read like three blind men describing an elephant, especially when it comes to memory corruption flaws, but the CWE items are not too far off.

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.

More by Author

Must Read