Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Development
    • Networking

    List of Most Dangerous Programming Errors Changes IT Security Discussion

    By
    Brian Prince
    -
    January 12, 2009
    Share
    Facebook
    Twitter
    Linkedin

      SQL injection, cross-site scripting – the list of security issues affecting the programs we use daily goes on and on. So often, however, conversations about IT security focus on how to address existing vulnerabilities rather than how to prevent them from coming about in the first place.

      It is here that the list of the Top 25 Most Dangerous Programming Errors released today comes into play. The list was compiled by a team of experts from more than 30 organizations, including Microsoft, Symantec and the U.S. National Security Agency (NSA). By combining a list of problems with general advice on mitigations, the authors have effectively proposed a shift in thinking about common vulnerabilities.

      “The publication of a list of programming errors that enable cyber espionage and cyber crime is an important first step in managing the vulnerability of our networks and technology,” said Tony Sager of the National Security Agency, in a statement. “There needs to be a move away from reacting to thousands of individual vulnerabilities, and to focus instead on a relatively small number of software flaws that allow vulnerabilities to occur, each with a general root cause.”

      The list separates the errors into three categories: insecure interaction between components, risky resource management and porous defenses. The errors themselves range from improper input validation to hard-coding passwords, and can lead to issues such as cross-site scripting and SQL injection attacks.

      Two other common errors included on the list are improper encoding or escaping of output and the use of broken or risky cryptographic algorithms.

      The impact of all these errors is wide ranging. According to the SANS Institute, just two of the errors led to more than 1.5 million Web site security breaches last year.

      Paying attention to these problems earlier on allows people to focus on improving software development practices, tools and requirements earlier in the development lifecycle where it is more cost-effective, Sager added.

      When knowledge of the most common problems becomes pervasive, buyers will exert more pressure on software vendors to certify the code they are delivering is free from these errors. The certification, the authors contend, puts responsibility for the errors – and any damage they cause – in the hands of the software vendor. While this would likely cause some inevitable clashes between development teams, marketing and sales, it would also ensure vendors take more time vetting their products.

      Already, the standard procurement language under development by New York state is being adjusted to use the Top 25 Errors.

      “Let’s use this list as a way to jumpstart the solutions – make 2009 a year to make things happen and solve these problems that have been around way too long,” said Ryan Berg, chief scientist at Ounce Labs, in a statement. “Far too many solutions exist out there to help address these all-too-common errors. Start using this list to secure your software today because if the last few years have been any indication, tomorrow is already too late.”

      Brian Prince
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×