Groups list most dangerous software programming errors

The SANS Institute and Mitre today released a list of the 25 most dangerous programming errors that enable cybercrime and cyber espionage. The errors are broken down into three categories: insecure interaction between components in systems, risky resource management and porous defenses.

Five of the dangerous programming errors are improper input validation, failure to preserve Web page structure, improper access controls for authorizing who can do what with the software, using a broken or risky cryptographic algorithm and using untrusted search paths.

The list was compiled by more than 40 experts from 35 different academic, government and private-sector organizations. SANS and Mitre managed the compilation effort, the National Security Agency served as the impetus for the project, and the Homeland Security Department provided financial support, according to a news release.

The list is important because it focuses on the actual programming errors made by software developers that create vulnerabilities rather than on the effects of the errors, officials said.

SANS and Mitre said having the list of identified errors would allow software buyers to purchase safer software and give programmers tools to consistently measure the security of the software they are writing.

"The publication of a list of programming errors that enable cyber espionage and cybercrime represents an important turn in software security awareness from a system administrator-centered view ... to a software engineering-centered view,” said Konrad Vesey from the National Security Agency's Information Assurance Directorate.

“This is very different from what we’ve all been doing in cybersecurity,” said Alan Paller, director of research at SANS. “This isn’t about vulnerabilities; this is about the errors that cause the vulnerabilities.”

Senior government officials have often discussed supply chain security as an important element of cybersecurity generally and an aim of the government’s Comprehensive National Cybersecurity Initiative specifically.

“What’s exciting for us is that it’s not just reactive which we tend to be in society on all things cyber … but this one actually is going for prevention and I think that’s what’s going to make a difference with this one,” said Margie Gilbert, a career intelligence officer who currently works with the cyber coordination executive in the Office of the Director of National Intelligence.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • People
    Dr. Ronny Jackson briefs the press on President Trump

    Uncertainty at VA after nominee withdraws

    With White House physician Adm. Ronny Jackson's withdrawal, VA watchers are wondering what's next for the agency and its planned $16 billion health IT modernization project.

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.