The US National Security Agency (NSA), the Department of Homeland Security, Microsoft, Symantec and a group of more than 30 other cyber security organizations have formed a group to outline the most dangerous software programming errors.
The group has jointly released a consensus list of the 25 most dangerous programming errors - and how to fix them. These programming errors lead to security bugs and can enable cyber espionage and cyber crime - most errors are not well understood, nor is their avoidance taught by computer science programs. The press release also indicates that these errors are not frequently tested by organizations developing software for sale. This list is, therefore, a big step forward in making software more secure.
"There appears to be broad agreement on the programming errors. Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify." - SANS Director, Mason Brown
According to the release, just 2 out of these 25 programming errors led to more than 1.5 million website security breaches in 2008. The 25 errors represent the worst things that can happen when software is being written - and will give a minimum set of coding errors that should be eradicated before software gets to the consumer.
The programming errors include sending sensitive information in clear text and hard-coding security passwords into programs. The errors fall into three categories: insecure interaction between components, risky resource management and porous defenses. You can read more here or here.
Via PC World ; Clipart via Microsoft / Presentation Pro