IT Security & Network Security News & Reviews: Software Security: Top 25 Flaws Developers Blindly Build Into Applications
Many of the recent high-profile security breaches took advantage of common, well-known software flaws in applications, such as SQL injection, cross-site scripting and buffer overflows. Most of these flaws are inadvertently introduced into software applications during the development process because the developers don't understand security, are rushed for time or are just used to "the way the Web works" without thinking of security implications. The development lifecycle needs to start focusing on avoiding security flaws from the beginning, and developers must learn to recognize the most common software errors, David Koretz, CEO of Mykonos Software, told eWEEK. Earlier this year, the SANS Institute, in conjunction with the nonprofit technology research corporation Mitre and the Department of Homeland Security, released the annual Common Weakness Evaluation/SANS Top 25 Most Dangerous Software Errors. The top issues were exploited by groups such as LulzSec and Anonymous in their attacks against Sony Pictures, PBS.org and HB Gary Federal in 2011. And a Citigroup breach, which exposed credit card information for more than 300,000 account holders, relied on the "missing authorization" flaw, which meant the site did not check whether the user was allowed to perform a particular action. All of these software flaws are easy for attackers to find using basic scanning tools. Below, eWEEK has distilled the basics of the top 25 most dangerous software errors. Related programming flaws and exploits are combined in some pages to reduce the total slides from 25 to 15.
Arguably one of the easier attacks to prevent, SQL injection is also the most common software bug in applications. Attackers enter database commands into an online form to directly access the database and siphon away data. Developers need to build in logic to handle invalid input to block this type of attack.