American’s National Security Agency has compiled a list of the world’s most dangerous coding errors. The compilation contains 25 lists errors that could leave gaps or security holes likely to be targeted by cyber criminals. Experts say many of these errors are not well understood by programmers.
According to the software security specialist the SANS Institute in Maryland, two of the coding errors alone led to over 1.5m websites being breached last year.
It is thought that the NSA’s list represents the first time the IT industry has reached agreement on the worst weaknesses that can creep into software as it is being written.
Chris Wysopal, chief technology officer with Veracode, a software code analysis specialist, commented: “The top 25 list gives developers a minimum set of coding errors that must be eradicated before software is used by customers.”
SANS director Mason Brown noted: “There appears to be broad agreement on the programming errors. Now it’s time to fix them.” Brown added: “We need to make sure every programmer knows how to write code that is free of the top 25 errors. Then we need to make sure every programming team has processes in place to find and fix these problems [in existing code] and has the tools needed to verify their code is as free of these errors.”
Patrick Lincoln, director of the Computer Science Laboratory at SRI International, said that, if programmers prevented these errors appearing in their code, it would deter most hackers. “This list is primarily for people who have first responsibility for designing a system. Veteran programmers have probably learnt the hard way, whereas a brand new programmer will be making more basic errors.”
Lincoln added: “The dedicated serial attacker will probably still find a way in, even if all these errors were removed. But a high school hacker with malicious intent – ankle-biters if you will – would be deterred.”
Previously, most advice has focused on vulnerabilities that can result from programming errors. The top 25 list examines actual programming errors.
The US Office of the Director of National Intelligence, the National Security Council and the Homeland Security Council also lent their support to the list. In a statement, they said: “We believe that integrity of hardware and software products is a critical for cyber security.”
“Creating more secure software is a fundamental aspect of system and network security, given that the federal government and the nation’s critical infrastructure depend on commercial products for business operations.”
The statement concluded: “The top 25 is an important component of an overall security initiative for our country. We applaud this effort and encourage the utility of this tool through other venues, such as cyber education.”
Subscribers 0
Fans 0
Followers 0
Followers