Avoiding the Most Common Programming Errors
These mistakes show that the bad guys aren't necessarily skilled as they are simply exploiting your errors.
In the wake of fears that cybercrime will shoot up this year and calls to the incoming Obama administration to beef up cyber security, more than 30 U.S. and international cyber security organizations today released a list of the leading programming errors that impact security on the Web.
The effort was jointly coordinated by MITRE, a not-for-profit organization chartered to work in the public interest and the SANS (SysAdmin, Audit, Network, Security) Institute. It was funded by the Department of Homeland Security's National Cyber Security Division.
The participants, who ranged from the National Security Agency (NSA) to software vendors to various universities, agreed on a total of 25 major programming errors that show up time and again.
"It's one of those things that should've been done a long time ago," Paul Kurtz, a principal author of the U.S. National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode), told InternetNews.com.
SAFECode, one of the participants, is dedicated to increasing trust in information and communications technology products.
The Top 25 list, available on SANS' Web site, comes with instructions on preventing or mitigating these programming problems. "Most of these errors are not well understood by programmers," SANS says on its Web site. "Their avoidance is not widely taught by computer science programs and their presence is frequently not tested by organizations developing software for sale."
The errors include CWE-89, failure to preserve SQL query structure, which gives rise to SQL injection attacks, one of the favorite attacks of hackers.
Another programming error dealt with is CWE-79, which enables cross-site scripting, another common and dangerous vulnerability in a Web application.
Yet another programming error brought up is improper authorization, an issue that leads to insider data breaches.
Broken algorithms hurt
These errors are serious. According to SANS, two of the errors alone led to more than 1.5 million Web site security breaches during 2008 and the effect of those breaches was multiplied because malware on the tainted Web sites turned the computers of visitors into zombies.