Groups list most dangerous software programming errors

The SANS Institute and Mitre today released a list of the 25 most dangerous programming errors that enable cybercrime and cyber espionage. The errors are broken down into three categories: insecure interaction between components in systems, risky resource management and porous defenses.

Five of the dangerous programming errors are improper input validation, failure to preserve Web page structure, improper access controls for authorizing who can do what with the software, using a broken or risky cryptographic algorithm and using untrusted search paths.

The list was compiled by more than 40 experts from 35 different academic, government and private-sector organizations. SANS and Mitre managed the compilation effort, the National Security Agency served as the impetus for the project, and the Homeland Security Department provided financial support, according to a news release.

The list is important because it focuses on the actual programming errors made by software developers that create vulnerabilities rather than on the effects of the errors, officials said.

SANS and Mitre said having the list of identified errors would allow software buyers to purchase safer software and give programmers tools to consistently measure the security of the software they are writing.

"The publication of a list of programming errors that enable cyber espionage and cybercrime represents an important turn in software security awareness from a system administrator-centered view ... to a software engineering-centered view,” said Konrad Vesey from the National Security Agency's Information Assurance Directorate.

“This is very different from what we’ve all been doing in cybersecurity,” said Alan Paller, director of research at SANS. “This isn’t about vulnerabilities; this is about the errors that cause the vulnerabilities.”

Senior government officials have often discussed supply chain security as an important element of cybersecurity generally and an aim of the government’s Comprehensive National Cybersecurity Initiative specifically.

“What’s exciting for us is that it’s not just reactive which we tend to be in society on all things cyber … but this one actually is going for prevention and I think that’s what’s going to make a difference with this one,” said Margie Gilbert, a career intelligence officer who currently works with the cyber coordination executive in the Office of the Director of National Intelligence.