A group of 30 computer organizations led by experts from the U.S. National Security Agency, the Department of Homeland Security, Microsoft and Symantec, the group published on Monday a blueprint outlining the 25 of the most dangerous software programming errors and how to deal with them.
The list represents the first time the industry has reached consensus on the worst things that can happen when software is being written.
25 deadly errors
More than just a list, however, the document could be used as a negotiating tool between buyers and software vendors, said Alan Paller, director of research with the SANS Institute, a security training group that spearheaded the work.
The list contains programming errors that enable cyber espionage and cyber crime, said Tony Sage, of the NSA's information assurance directorate.
"Such a list allows the targeting of improvements in software development practices, tools, and requirements to manage these problems earlier in the life cycle, where they can be solved on a large scale and cost-effectively." Sager said.
The errors are broken into three categories:
Insecure Interaction Between Components (9 errors)
Risky Resource Management (9 errors)
Porous Defenses (7 errors)
The report identified improper input validation as "the number one killer of healthy software."
"Incorrect input validation can lead to vulnerabilities when attackers can modify their inputs in unexpected ways. Many of today's common vulnerabilities can be eliminated, or at least reduced, using proper input validation," the report said.
Other errors include:
• Failure to Preserve SQL Query Structure (aka 'SQL Injection')
• Improper Encoding or Escaping of Output
• Failure to Constrain Operations within the Bounds of a Memory Buffer
• Use of a Broken or Risky Cryptographic Algorithm
• Hard-Coded Password
"This is a very comprehensive list of very often neglected errors and how to deal with them. It will be valuable for coders as well as non-technical department heads and managers who need a better understanding of programming issues," said Howard Kiewe, senior research analyst specializing in application development at the analyst firm Info-Tech Research Group in London, Ont.
Kiewe said the list appeared to concentrate on Web application development and would be useful for programmers and organization working on online tools.
He said some of the listed errors are "pretty obvious, but you would be surprised to find out how often these basic mistakes are committed."