In the wake of fears that cybercrime will shoot up this year and calls to the incoming Obama administration to beef up cyber security, more than 30 U.S. and international cyber security organizations today released a list of the leading programming errors that impact security on the Web.
The effort was jointly coordinated by MITRE, a not-for-profit organization chartered to work in the public interest and the SANS (SysAdmin, Audit, Network, Security) Institute. It was funded by the Department of Homeland Security’s National Cyber Security Division.
The participants, who ranged from the National Security Agency (NSA) to software vendors to various universities, agreed on a total of 25 major programming errors that show up time and again.
“It’s one of those things that should’ve been done a long time ago,” Paul Kurtz, a principal author of the U.S. National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode), told InternetNews.com.
SAFECode, one of the participants, is dedicated to increasing trust in information and communications technology products.
The Top 25 list, available on SANS’ Web site, comes with instructions on preventing or mitigating these programming problems. “Most of these errors are not well understood by programmers,” SANS says on its Web site. “Their avoidance is not widely taught by computer science programs and their presence is frequently not tested by organizations developing software for sale.”
The errors include CWE-89, failure to preserve SQL query structure, which gives rise to SQL injection attacks, one of the favorite
attacks of hackers.
Another programming error dealt with is CWE-79, which enables cross-site scripting, another common
and dangerous vulnerability in a Web application.
Yet another programming error brought up is improper authorization, an issue that leads to insider data breaches.
Broken algorithms hurt
These errors are serious. According to SANS, two of the errors alone led to more than 1.5 million Web site security breaches during 2008 and the effect of those breaches was multiplied because malware on the tainted Web sites turned the computers of visitors into zombies.
This rights a wrong,” Alan Paller, director of research at the SANS Institute, told InternetNews.com. “Most software vendors don’t fix security flaws in their products after they have been purchased.”
The problem is, software purchase agreements do not list security problems that need to be fixed, and enterprise purchasers cannot tell what flaws exist until after they examine the code, Paller said. “This lists the flaws.”
The list comes amid heightened concerns about Internet security. Experts have expressed fears that cybercriminals will have a bonanza year in 2009 because governments are
preoccupied with the global recession.
They have also urged the incoming Obama
administration to close holes in the nation’s and federal government’s Internet infrastructure because cyber attacks and data breaches at major U.S. and state government departments have been rife.