Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Development
    • Networking

    List of Most Dangerous Programming Errors Changes IT Security Discussion

    By
    BRIAN PRINCE
    -
    January 12, 2009
    Share
    Facebook
    Twitter
    Linkedin

      SQL injection, cross-site scripting – the list of security issues affecting the programs we use daily goes on and on. So often, however, conversations about IT security focus on how to address existing vulnerabilities rather than how to prevent them from coming about in the first place.

      It is here that the list of the Top 25 Most Dangerous Programming Errors released today comes into play. The list was compiled by a team of experts from more than 30 organizations, including Microsoft, Symantec and the U.S. National Security Agency (NSA). By combining a list of problems with general advice on mitigations, the authors have effectively proposed a shift in thinking about common vulnerabilities.

      “The publication of a list of programming errors that enable cyber espionage and cyber crime is an important first step in managing the vulnerability of our networks and technology,” said Tony Sager of the National Security Agency, in a statement. “There needs to be a move away from reacting to thousands of individual vulnerabilities, and to focus instead on a relatively small number of software flaws that allow vulnerabilities to occur, each with a general root cause.”

      The list separates the errors into three categories: insecure interaction between components, risky resource management and porous defenses. The errors themselves range from improper input validation to hard-coding passwords, and can lead to issues such as cross-site scripting and SQL injection attacks.

      Two other common errors included on the list are improper encoding or escaping of output and the use of broken or risky cryptographic algorithms.

      The impact of all these errors is wide ranging. According to the SANS Institute, just two of the errors led to more than 1.5 million Web site security breaches last year.

      Paying attention to these problems earlier on allows people to focus on improving software development practices, tools and requirements earlier in the development lifecycle where it is more cost-effective, Sager added.

      When knowledge of the most common problems becomes pervasive, buyers will exert more pressure on software vendors to certify the code they are delivering is free from these errors. The certification, the authors contend, puts responsibility for the errors – and any damage they cause – in the hands of the software vendor. While this would likely cause some inevitable clashes between development teams, marketing and sales, it would also ensure vendors take more time vetting their products.

      Already, the standard procurement language under development by New York state is being adjusted to use the Top 25 Errors.

      “Let’s use this list as a way to jumpstart the solutions – make 2009 a year to make things happen and solve these problems that have been around way too long,” said Ryan Berg, chief scientist at Ounce Labs, in a statement. “Far too many solutions exist out there to help address these all-too-common errors. Start using this list to secure your software today because if the last few years have been any indication, tomorrow is already too late.”

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×