International security organisations have updated and restructured a list of 25 common programming errors that cause security vulnerabilities and expose software users to cyber attack.

The US-funded collaboration project, which is managed by the Mitre and Sans Institute and brings together security experts from more than 30 global organisations, first compiled its list of 25 risky coding practices in January 2009.

The structure of the list has been modified to make it easier to use by distinguishing mitigations and general secure programming principles from more concrete weaknesses, the organisations said.

This year's top 25 entries are prioritised using inputs from more than 20 organisations, which evaluated each weakness based on prevalence and importance.

Cross-site scripting tops the list, which aims to help businesses improve their software procurement by requiring code to be free of these errors.

The goal is to force suppliers to test the security of their software and to provide customers with their test results. No one likes to share test results that show them writing bad code, said Alan Paller, director of research at the Sans Institute.

New York State is changing its procurement language to ensure that the top 25 errors are avoided, with other states expected to follow.

The integrity of hardware and software products is a critical element of cybersecurity, the Office of the Director of US National Intelligence said.

Creating more secure software is a fundamental aspect of system and network security and the top 25 programming errors initiative is an important component of an overall security initiative for our country, it said.

"We applaud this effort and encourage the utility of this tool through other venues such as cyber education," it said.

Top 25 coding errors

Failure to preserve web page structure ('cross-site scripting')

Improper sanitisation of special elements used in an sql command ('SQL injection')

Buffer copy without checking size of input ('classic buffer overflow')

Cross-site request forgery (CSRF)

Improper access control (authorisation)

Reliance on untrusted inputs in a security decision

Improper limitation of a pathname to a restricted directory ('path traversal')

Unrestricted upload of file with dangerous type

Improper sanitisation of special elements used in an OS command ('OS command injection')

Missing encryption of sensitive data

Use of hard-coded credentials

Buffer access with incorrect length value

Improper control of filename for include/require statement in PHP program ('PHP file inclusion')

Improper validation of array index

Improper check for unusual or exceptional conditions

Information exposure through an error message

Integer overflow or wraparound

Incorrect calculation of buffer size

Missing authentication for critical function

Download of code without integrity check

Incorrect permission assignment for critical resource

Allocation of resources without limits or throttling

URL redirection to untrusted site ('open redirect')

Use of a broken or risky cryptographic algorithm

Race condition

Explanation and advice about the errors >>