Groups list most dangerous software programming errors
The SANS Institute and Mitre today released a list of the 25 most
dangerous programming errors that enable cybercrime and cyber
espionage. The errors are broken down into three categories: insecure
interaction between components in systems, risky resource management
and porous defenses.
Five of the dangerous programming errors
are improper input validation, failure to preserve Web page structure,
improper access controls for authorizing who can do what with the
software, using a broken or risky cryptographic algorithm and using
untrusted search paths.
The list was compiled by more than 40
experts from 35 different academic, government and private-sector
organizations. SANS and Mitre managed the compilation effort, the
National Security Agency served as the impetus for the project, and the
Homeland Security Department provided financial support, according to a
The list is important because it focuses on the
actual programming errors made by software developers that create
vulnerabilities rather than on the effects of the errors, officials
SANS and Mitre said having the list of identified errors
would allow software buyers to purchase safer software and give
programmers tools to consistently measure the security of the software
they are writing.
"The publication of a list of programming
errors that enable cyber espionage and cybercrime represents an
important turn in software security awareness from a system
administrator-centered view ... to a software engineering-centered
view,” said Konrad Vesey from the National Security Agency's
Information Assurance Directorate.
“This is very different from
what we’ve all been doing in cybersecurity,” said Alan Paller, director
of research at SANS. “This isn’t about vulnerabilities; this is about
the errors that cause the vulnerabilities.”
Senior government officials have often discussed supply chain security
as an important element of cybersecurity generally and an aim of the
government’s Comprehensive National Cybersecurity Initiative
“What’s exciting for us is that it’s not just
reactive which we tend to be in society on all things cyber … but this
one actually is going for prevention and I think that’s what’s going to
make a difference with this one,” said Margie Gilbert, a career
intelligence officer who currently works with the cyber coordination
executive in the Office of the Director of National Intelligence.
Ben Bain is a reporter for Federal Computer Week.