On January 12, 2009, experts from more than 30 cyber security organizations jointly released a consensus list of the top 25 most dangerous programming errors (http://www.sans.org/top25errors/). This list attempts to boil down the more than 700 possible causes of software security issues to the ones that are so prevalent and severe that no software should be released to customers without evidence that measures were taken to ensure the software does not contain any of these errors. The Top 25 errors were further broken down into 3 categories: Insecure Interaction between Components that contains 9 errors, Risky Resource Management which contains 9 errors and Porous Defenses has the final 7 errors.
Maybe not surprisingly, many programmers and software testers are not properly trained to recognize, isolate and resolve these issues. Some believe that it is not more that software developers are not educated in secure programming techniques but more that C level executive will not build time into the project schedule to apply the principles. To solve the education part and promote safer coding and testing practices, this paper will attempt to examine the big hitters of the list: the errors that are most prevalent, the most frequent and the ones that factor most into other, more complex errors. These heavy hitters are not simply in the first category or ranked in the top 10 but spread among all 3 categories. By explaining each big hitter and providing code samples, this paper will reach the goal of providing education to software developers, testers and project management that will lead to more secure software for the most sensitive customer facing web applications. Now, the only issue for employees to solve is to get buy- in from senior level management.
This document is in PDF format. To view it click here.