Each year the SANS Institute and the MITRE Corporation team up to survey the year's most dangerous programming errors. This year's list, the 2011 Common Weakness Enumeration, was published at the end of June. This is a great resource and anyone writing software for the Web should read it carefully. The document is a long and thorough analysis of the errors that led to exploits in the last year.
The report begins with some guidance for different types of users—programmers new to security, programmers experienced in security, project managers, testers, customers, and educators—on how to use the list. Next there is a brief listing of the errors sorted in various ways, and finally a detailed explanation and sample code for each type of error. Finally there is a list of “Monster Mitigations” that establish some general principles for writing secure code.
The tops 5 errors were:
- SQL Injection
- OS Command Injection
- Buffer Overflow
- Cross-site Scripting
- Missing Authentication for Critical Function
I find OS Command Injection in second place surprising, but sadly all of the others are as expected. It beggars belief that SQL injection is still such a common exploit today. The same could be said of buffer overflow. Of course, as LulzSec has shown us, there is every reason to expect that SQL injection will be a major attack vector for the foreseeable future.
Again, if you are writing code for the Web, you really need to read and study this report.