Report: Programming Errors Compromise Software Security

Every year, millions of computers are infected with viruses, and databases with sensitive consumer data are hacked. According to a report by the SANS Institute, a leading organization for computer security training, these security breaches are a result of poor programming.

Together with 30 top international cyber security experts, the SANS Institute has published The Top 25 Most Dangerous Programming Errors, identifying the most common and dangerous programming oversights. In fact, the impact of these errors is so widespread, just two of them--SQL injection (CWE-89) and cross-site scripting (CWE-79)--resulted in more than 1 million website security breaches. Those security breaches flow into the computers of website visitors, rendering their computers inoperable.

According to Steve Christey, principal information security engineer for The MITRE Corp., as well as editor and technical coordinator of Top 25, the purpose of the report is to raise awareness about the small errors made by programmers that result it major security problems. The commission also wanted to arm consumers with information to enable them to demand more secure software programs.

"Universities teach technique," Christey says, "but many programmers come out [of college] never having heard the word security in their classes."

With the push to produce more and more software, the focus is often on creating new code, and producing it quickly. In this environment, the security of the programs becomes an ancillary concern, if it is addressed at all.

The SANS Institute and its affiliates hope the Top 25 report will be a catalyst to forcing the technology industry, which is heavily dependent on software, to create more secure programs. However, Christey notes that it is up to consumers--especially business owners who collect sensitive consumer information--to attach security standards to their software requests. If software consumers demand more secure programs, software developers will be motivated to create better programs in order to compete.

"If developers learn to program more securely," Christey says, "ultimately, they will learn to create better programs."

The Top 25 list was broken down into three categories: insecure interaction between components, risky resource management, and porous defenses. It should come as no surprise that the most common and dangerous programming errors fall into the first category, with improper input validation (CWE-20) identified as the No. 1 killer of healthy software.

Visit http://www.sans.org/top25errors/ to read the full report and find out more about the Top 25 Most Dangerous Programming Errors.

-- Kimberlee Morrison