Software developers are to blame for most cyberattacks, say security experts

Software developers should be accountable for programming errors that enable cyberattacks, security observers said on Tuesday.

Programming errors are behind most major cyber crimes and security bugs, such as the flaw in Microsoft's Internet Explorer Web browser that led to recent attacks on Google, according to a new list of the top 25 tech mistakes released by the SANS Institute, a research cooperative, and MITRE Corp., a nonprofit technology organization. In addition to the latest rankings, acquisition experts announced new standards for contract language aimed at protecting software buyers from being held responsible for faulty code.

"Nearly every attack is enabled by mistakes programmers make that provide a handhold for attackers," wrote Alan Paller, director of research at SANS Institute in an e-mail. "The only way programming errors can be eradicated is by making software development organizations legally liable for the errors. And that can only be done if there is a safe harbor. The announcement on Tuesday is the foundation for the safe harbor."

The list ranks programming and design errors based on prevalence and importance. It also includes information on mitigation strategies to help developers reduce or eliminate weaknesses.

"The updated version of the CWE/SANS Top 25 continues to be a useful source of information for code developers and consumers," said Dan Wolfe, director of the Software Assurance Consortium, a group dedicated to identifying and reducing risks posed by software. "Its ranking of code weaknesses by severity and importance helps focus the discussion between developers and their customers on those issues that matter the most. Putting this document into everyday practice will improve the overall security of the software we all utilize in our day-to-day efforts."

Representatives from 28 organizations, including government agencies, academic institutions, technology companies and software vendors, collaborated on the list. The National Security Agency backed the project, and the Homeland Security Department's National Cybersecurity Division provided financial support.

Correction: The original version of this story mischaracterized the error responsible for Google's recent security concerns.