Friday, January 16, 2009

25 Most Dangerous Programming Errors

Security experts from Microsoft, Symantec and a host of other organizations including the NSA have compiled a list of the Top 25 Most Dangerous Programming Errors. The list shifts the focus of IT security discussions from the results of programming vulnerabilities to the programming process itself.

“The publication of a list of programming errors that enable cyber espionage and cyber crime is an important first step in managing the vulnerability of our networks and technology,” said Tony Sager of the National Security Agency, in a statement. “There needs to be a move away from reacting to thousands of individual vulnerabilities, and to focus instead on a relatively small number of software flaws that allow vulnerabilities to occur, each with a general root cause.”

The list separates the errors into three categories: insecure interaction between components, risky resource management and porous defenses. The errors themselves range from improper input validation to hard-coding passwords, and can lead to issues such as cross-site scripting and SQL injection attacks.

Two other common errors included on the list are improper encoding or escaping of output and the use of broken or risky cryptographic algorithms.

The impact of all these errors is wide ranging. According to the SANS Institute, just two of the errors led to more than 1.5 million Web site security breaches last year.

Paying attention to these problems earlier on allows people to focus on improving software development practices, tools and requirements earlier in the development lifecycle where it is more cost-effective, Sager added.

When knowledge of the most common problems becomes pervasive, buyers will exert more pressure on software vendors to certify the code they are delivering is free from these errors. The certification, the authors contend, puts responsibility for the errors – and any damage they cause – in the hands of the software vendor. While this would likely cause some inevitable clashes between development teams, marketing and sales, it would also ensure vendors take more time vetting their products.

No comments:

Web Analytics