Right before going to press for this edition of SC Magazine, SANS' Alan Paller alerted me to an impending industry announcement that, he said, would be “of interest to business people – not just techies” and “change the way organizations buy software, right away.”
Now, while the last point will need time to be proven, the first seems accurate enough. Jointly made by over 30 cybersecurity organizations, the announcement centered on the release of the first consensus list of the 25 most important programming errors that lead to security bugs, which often enable various types of cybercrime. The release offers in-depth guidance on how to fix these holes.
A couple of things made this different from previous lists. First was the breadth of involvement from experts at various private, public and educational institutions from around the globe. Second was the push for its creation by the NSA, and financial support coming from DHS's National Cyber Security Division.
But perhaps, most importantly, this list moves beyond the vulnerabilities that result from programming errors to the actual mistakes that developers make that create the holes in the first place. And this means that this consensus list, which saw the participation from so many industry experts in its creation, and its associated and regularly updated websites (www.sans.org/top25 and cwe.mitre.org/top25) offer details on how to mitigate against these all too common, but often lethal mistakes.
According to experts behind the release of this list, these highly misunderstood errors made by programmers can have a huge impact on a company's ability to stay up and running. “Just two of them led to more than 1.5 million website security breaches during 2008 – and those breaches cascaded onto the computers of people who visited those websites, turning their computers into zombies,” the press release noted.
During a press conference right after the announcement, an NSA spokesperson said that the shared creation and release of such critical programming errors and the detailed fixes for them will prompt a huge change in the way organizations tackle security. And if that means safer computing environments that see more programmers better understanding how to integrate security into the software they're building, then it's a big step in the
Illena Armstrong is editor-in-chief of SC Magazine.