Report Names Top 25 Worst Programming Errors
Although a recent survey suggests small to medium-size business owners will focus more on data protection
than virus prevention in 2009, a vulnerability report scheduled to be
released today by a compendium of more than 30 organizations and funded
by the Homeland Security Department's National Cyber Security Division,
shows midmarket companies still need to be vigilant on a number of
fronts when it comes to protecting their IT infrastructure from
Experts from more than 30 U.S. and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. The 90-day project, The Top 25 Errors initiative, is managed by the SANS Institute and MITRE Corp. and hopes to give vendors an opportunity to eliminate errors before the software is sold and installed.
The report is broken down into three categories, highlighting first the programming errors and then corresponding solutions. The first category, "Insecure Interaction Between Components," includes nine programming errors in total, such as "Failure to Preserve Web Page Structure" or "cross-site scripting" which allows hackers to access the Web site and start serving code that you didn't write. The second category, "Risky Resource Management," also highlights nine errors, including "External Control of Critical State Data," which can allow hackers to alter data in order to trick your applications into doing something you didn't intend. The seven errors explained in the "Porous Defenses" category offer solutions to weaknesses in user security checks and authorization procedures.
In addition to government organizations such as the National Security Agency's (NSA) Information Assurance Division, public institutions such as the University of California at Davis and private sector enterprises such as Microsoft and security software vendor Symantec participated in the report. "There appears to be broad agreement on the programming errors," SANS Director Mason Brown said. "Now it is time to fix them. First, we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify."
The authors of the report hope to achieve four main goals by releasing this report, the results of which can be found here. They hope buyers will be able to buy much safer software, programmers will have tools that consistently measure the security of the software they are writing, colleges will be able to teach secure coding more confidently and employers will be able to ensure they have programmers who can write more secure code.
The report says that until now, most guidance focused on the vulnerabilities that result from programming errors. While SANS believes this is helpful, this report focuses on the actual programming errors made by developers who create the vulnerabilities. The Top 25 Web site provides detailed and authoritative information on mitigation. "Now, with the Top 25, we can spend less time working with police after the house has been robbed and instead focus on getting locks on the doors before it happens," said Paul Kurtz, a principal author of the U.S. National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode).