Groups release top 25 programming errors to improve cybersecurity

Security professionals say agencies can require vendors to certify their software is free of the holes, which attackers commonly use to gain access to government networks.

Security experts from more than 30 public and private cybersecurity organizations released a list of the 25 most dangerous software programming errors on Monday as part of an initiative to help vendors check the security of their products before they are installed on government networks.

Traditionally, cybersecurity managers have focused on patching vulnerabilities announced by software companies. Many of those security holes are caused by errors in the code of software applications. The Top 25 Errors initiative, managed by the SANS Institute and MITRE Corp., allows vendors eliminate those errors before the software is sold and installed. Purchasers of software can require as part of all software procurements that vendors certify that their programs are free of the 25 errors.

"Certifications shifts responsibility to the vendor for correcting the errors and for any damage caused by those errors," said Alan Paller, director of research at SANS, a nonprofit cybersecurity research group based in Bethesda, Md.

The errors and solutions are grouped into three categories. The first, "Insecure Interaction Between Components," includes nine errors. Improper input validation and output encoding, for example, enables attackers to modify the programming code and ultimately hijack applications.

The second category, "Risky Resource Management," outlines nine errors programmers commit when developing core application components. Among them is the download of code without an integrity check to ensure it comes from a trusted source.

The third category, "Porous Defenses," includes seven errors in locking down code such as not creating access controls that check users who work with or modify software have the proper authorization to do so. Cyberattackers can access software functions that are intended for restricted users.

"The publication of a list of programming errors that enable cyber espionage and cyber crime represents an important turn in software security awareness from a system administrator-centered view [of] detect, respond, patch, to a software engineering-centered view [of] design, implement, verify," said Konrad Vesey, information assurance directorate of the National Security Agency.

NSA initiated the creation of the Top 25 initiative to improve the security of software that the Defense Department purchased. The Homeland Security Department's National Cyber Security Division funded the 90-day project. A total of 37 individuals and organizations from industry, government and academia contributed to the program.

"When consumers see that most vulnerabilities are caused by a mere 25 weaknesses, a new standard for due diligence in product development is likely to emerge," Vesey said. "The vocabulary of software security is expanded from what the vendor tested against to what the vendor built in."

A number of state governments are adjusting their standard procurement language to incorporate the Top 25 errors, and over time, the international standard for computer security certification, the Common Criteria for Information Technology Security Evaluation, may adopt the list to ensure code purchased by the U.S. government is free of the errors, Paller said.

"This is a serious priority in New York," said Will Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination, and chair of the Multi-State Information Sharing and Analysis Center. He plans to incorporate the Top 25 list into standard procurement language he developed for New York.

"This gives us all at the programming level 25 actions we can take today to eliminate the most common errors that, frankly, keep me up at night," Pelgrin said. "My life gets easier as people start taking this seriously."