It’s rare when you can get a bunch of software people to agree on much of any thing. Just think of all the programming language wars going on and the debates over what browser or operating systems to use. So when I hear that a bunch of experts have agreed on the most dangerous programming errors that gets my attention. What I found what the CWE/SANS TOP 25 Most Dangerous Programming Errors list.
The impetus for this list was in large part better software security. Reliability was a concern as well of course. But security is getting a lot of attention these days and programming errors are responsible for a lot of security issues in software. I don’t underestimate the amount of security issues caused by people problems but we can’t fix them in code. We can however build more secure code. So this list will help a lot of organizations in the future. In my opinion education is a key piece and the people behind this list agree.
Colleges and others who prepare programmers will use the Top 25 Errors as a foundation for curriculum that ensures their students know how to avoid the critical programming errors. One of the colleges that participated in developing the Top 25, UC Davis, has already established a secure coding clinic where student-written software is reviewed for the key programming errors that lead to critical security vulnerabilities. The Top 25 enables the clinic to prioritize errors in its review. Other colleges are beginning to emulate the secure coding clinics.
Besides the list itself there is a lot of supporting information on this page though. There are quotes from experts explaining the importance of these errors and for programmers to learn about them and how to avoid them. I think this is a great list for students, even beginners, to know about and to ask questions about. For professional programmers or those who expect to become professionals this list is a must read.