Groups list most dangerous software programming errors

Featured eBooks
Health Tech
Read Now

Next-Generation Computing

Read Now

Space Tech

Read Now
Insights & Reports
Stay Ahead of the Latest Threats with Intelligence-driven Security Operations
Presented By Google Cloud
Download Now
Strengthening cloud security for federal agencies
Presented By Wiz
Download Now
By Ben Bain

By Ben Bain

|

Officials hope that the release of a consensus list of the top 25 most dangerous software programming errors will improve cybersecurity.

The SANS Institute and Mitre today released a list of the 25 most dangerous programming errors that enable cybercrime and cyber espionage. The errors are broken down into three categories: insecure interaction between components in systems, risky resource management and porous defenses.

Five of the dangerous programming errors are improper input validation, failure to preserve Web page structure, improper access controls for authorizing who can do what with the software, using a broken or risky cryptographic algorithm and using untrusted search paths.

The list was compiled by more than 40 experts from 35 different academic, government and private-sector organizations. SANS and Mitre managed the compilation effort, the National Security Agency served as the impetus for the project, and the Homeland Security Department provided financial support, according to a news release.

The list is important because it focuses on the actual programming errors made by software developers that create vulnerabilities rather than on the effects of the errors, officials said.

SANS and Mitre said having the list of identified errors would allow software buyers to purchase safer software and give programmers tools to consistently measure the security of the software they are writing.

"The publication of a list of programming errors that enable cyber espionage and cybercrime represents an important turn in software security awareness from a system administrator-centered view ... to a software engineering-centered view,” said Konrad Vesey from the National Security Agency's Information Assurance Directorate.

“This is very different from what we’ve all been doing in cybersecurity,” said Alan Paller, director of research at SANS. “This isn’t about vulnerabilities; this is about the errors that cause the vulnerabilities.”

Senior government officials have often discussed supply chain security as an important element of cybersecurity generally and an aim of the government’s Comprehensive National Cybersecurity Initiative specifically.

“What’s exciting for us is that it’s not just reactive which we tend to be in society on all things cyber … but this one actually is going for prevention and I think that’s what’s going to make a difference with this one,” said Margie Gilbert, a career intelligence officer who currently works with the cyber coordination executive in the Office of the Director of National Intelligence.

NEXT STORY: Meyerrose to head cybersecurity at Harris