Breach, Data Security, Incident Response, Network Security, Patch/Configuration Management, TDR, Vulnerability Management

DHS, Microsoft, others release Top 25 programming blunders

A pair of prominent government agencies have teamed up with academic researchers and security software providers to get programmers more focused on security and buyers more clued in to what they're getting.

Experts from more than 30 U.S. and international cybersecurity organizations, including the Department of Homeland Security and National Security Agency, on Monday unveiled the Top 25 list of most dangerous programming errors, which often are leveraged to conduct cybercrime.

Two of the errors -- improper input validation and output encoding, which could be exploited to launch SQL injection attacks -- contributed to more than 1.5 million website breaches last year, according to the study's organizers, MITRE and the SANS Institute.

The 25 mistakes were broken down into three categories: insecure interaction between components (nine), risky resource management (another nine) and porous defenses (seven).

Exacerbating the problem is that many computer science programs do not teach secure coding, so programmers often are not familiar with these errors, experts said on Monday's conference call.

The list is a beneficial tool for organizations acting to ensure these bugs are not present in the software that is developed or purchased, experts said.

“No software should be delivered to customers without evidence that these errors aren't present,” said Chris Wysopal, chief scientist at application security firm Veracode.

New York state plans to adapt this list and is currently adjusting its “standard procurement language” to reflect the Top 25 errors.

The SANS Institute has posted on its website the draft language of New York's procurement standards, which organizations can write into contracts with outsourcers to ensure the code will be fixed if one of these errors is found, said Alan Paller, director of research at SANS.

In addition, organizations can test that outsourcers have adequate secure coding skills with free certification exams, available on the SANS Institute website, Paller said. There also are a number of vendors that offer software that tests code for these errors.

The Top 25 list also informs colleges as to which secure coding elements should be taught and students tested on before would-be programmers begin their careers, experts said.

"This will change the way we go about security," said Paul Kurtz, executive director of the Software Assurance Forum for Excellence in Code (SAFECode), an industry group that recently released best practices for secure software development.

Recognizing these common errors in code is an incredibly important development that will drive better coding into the software industry, he said.

Creating more secure software is important because the nation's critical infrastructure depends on these products, Margie Gilbert, representing the Office of the Director of National Intelligence's (DNI) Comprehensive National Cybersecurity Initiative (CNCI), said on the call.

The U.S. government will look into how successful New York state is and may also adapt the list to ensure code is free of these errors, Gilbert said.

Launched by the DHS last year, the CNCI, sometimes referred to as a cybersecurity "Manhattan Project,"  is a 12-point plan to deter foreign hackers.

Organizations that made contributions to the programming blunders list also include well-known security providers such as Microsoft and Symantec and academic professionals from the Purdue and Northern Kentucky universities.

The Top 25 was developed by leveraging MITRE's Common Weaknesses Enumeration (CWE) list, consisting of 700 software weaknesses, to determine the most severe based on how frequent weaknesses appear in code and how severe the damage is.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.