SQL injection, cross-site scripting - the list of security issues affecting the programs we use daily goes on and on. So often, however, conversations about IT security focus on how to address existing vulnerabilities rather than how to prevent them from coming about in the first place.
It is here that the list of the Top 25 Most Dangerous Programming Errors released today comes into play. The list was compiled by a team of experts from more than 30 organizations, including Microsoft, Symantec and the U.S. National Security Agency (NSA). By combining a list of problems with general advice on mitigations, the authors have effectively proposed a shift in thinking about common vulnerabilities.
"The publication of a list of programming errors that enable cyber espionage and cyber crime is an important first step in managing the vulnerability of our networks and technology," said Tony Sager of the National Security Agency, in a statement. "There needs to be a move away from reacting to thousands of individual vulnerabilities, and to focus instead on a relatively small number of software flaws that allow vulnerabilities to occur, each with a general root cause."
The list separates the errors into three categories: insecure interaction between components, risky resource management and porous defenses. The errors themselves range from improper input validation to hard-coding passwords, and can lead to issues such as cross-site scripting and SQL injection attacks.
Two other common errors included on the list are improper encoding or escaping of output and the use of broken or risky cryptographic algorithms.
The impact of all these errors is wide ranging. According to the SANS Institute, just two of the errors led to more than 1.5 million Web site security breaches last year.
Paying attention to these problems earlier on allows people to focus on improving software development practices, tools and requirements earlier in the development lifecycle where it is more cost-effective, Sager added.
When knowledge of the most common problems becomes pervasive, buyers will exert more pressure on software vendors to certify the code they are delivering is free from these errors. The certification, the authors contend, puts responsibility for the errors - and any damage they cause - in the hands of the software vendor. While this would likely cause some inevitable clashes between development teams, marketing and sales, it would also ensure vendors take more time vetting their products.
Already, the standard procurement language under development by New York state is being adjusted to use the Top 25 Errors.
"Let's use this list as a way to jumpstart the solutions - make 2009 a year to make things happen and solve these problems that have been around way too long," said Ryan Berg, chief scientist at Ounce Labs, in a statement. "Far too many solutions exist out there to help address these all-too-common errors. Start using this list to secure your software today because if the last few years have been any indication, tomorrow is already too late."