A group of 35 high-profile organizations, including the U.S. Department of Homeland Security and the National Security Agency's Information Assurance Division, has released a list of the 25 most serious programming errors. The goal is to focus attention on dangerous software-development practices and ways to avoid those practices, according to officials at the SANS Institute, which coordinated the list's creation. Releasing the list is intended to give software buyers, developers, and training programs a tool to identify programming errors known to create serious security risks. The list will be adjusted as necessary to accommodate new or particularly dangerous programming errors that might arise.
The list is divided into three classes. Nine errors on the list are categorized as insecure interactions between components, another nine are classified as risky resource management errors, and the rest are considered "porous defense" problems. The top two problems are improper input validation and improper output encoding errors, which are regularly made by numerous programmers and are believed to be responsible for the attacks that compromised hundreds of thousands of Web pages and databases in 2008. Other programming errors include a failure to preserve SQL query, Web page structures leading to SQL injection attacks, cross-site scripting vulnerabilities, buffer-overflow mistakes, and chatter error messages.
View Full Article
No entries found