Security experts from Microsoft, Symantec and a host of other organizations including the NSA have compiled a list of the most dangerous software programming errors. The list shifts the focus of IT security discussions from the results of programming vulnerabilities to the programming process itself.
SQL injection, cross-site scripting - the list of security issues
affecting the programs we use daily goes on and on. So often, however,
conversations about IT security focus on how to address existing vulnerabilities
rather than how to prevent them from coming about in the first place.
It is here that the list of the Top 25 Most Dangerous Programming Errors
today comes into play. The list was compiled by a team of experts from
more than 30 organizations, including Microsoft, Symantec and the U.S.
National Security Agency (NSA). By combining a list of problems with
general advice on mitigations, the authors have effectively proposed a
shift in thinking about common vulnerabilities.
"The publication of a list of programming errors that enable cyber
espionage and cyber crime is an important first step in managing the
vulnerability of our networks and technology," said Tony Sager of the
National Security Agency, in a statement. "There needs to be a move
away from reacting to thousands of individual vulnerabilities, and to
focus instead on a relatively small number of software flaws that allow
vulnerabilities to occur, each with a general root cause."
The list separates the errors into three categories: insecure
interaction between components, risky resource management and porous
defenses. The errors themselves range from improper input validation to
hard-coding passwords, and can lead to issues such as cross-site
scripting and SQL injection attacks.
Two other common errors included on the list are improper encoding
or escaping of output and the use of broken or risky cryptographic
The impact of all these errors is wide ranging. According to the
SANS Institute, just two of the errors led to more than 1.5 million Web
site security breaches last year.
Paying attention to these problems earlier on allows people to focus
on improving software development practices, tools and requirements
earlier in the development lifecycle where it is more cost-effective,
When knowledge of the most common problems becomes pervasive, buyers
will exert more pressure on software vendors to certify the code they
are delivering is free from these errors. The certification, the
authors contend, puts responsibility for the errors - and any damage
they cause - in the hands of the software vendor. While this would
likely cause some inevitable clashes between development teams,
marketing and sales, it would also ensure vendors take more time
vetting their products.
Already, the standard procurement language under development by New York state is being adjusted to use the Top 25 Errors.
"Let's use this list as a way to jumpstart the solutions - make 2009
a year to make things happen and solve these problems that have been
around way too long," said Ryan Berg, chief scientist at Ounce Labs, in
a statement. "Far too many solutions exist out there to help address
these all-too-common errors. Start using this list to secure your
software today because if the last few years have been any indication,
tomorrow is already too late."