 |  |  |  |  |  |  |  |
Are You Vulnerable to These Top 25 Coding Errors?
A group of over 30 organizations including the Department of Homeland Security, Microsoft, and Symantec collaborated recently on a security project designed to identify the top 25 coding errors programmers make when building Web sites.
Since many of the mistakes can leave sites vulnerable to to cyber crime, it's a good idea to peruse the list and make sure you don't have any security gaps in your systems. In fact, just two of the 25 errors account for more than 1.5 million security breaches last year.
Some of the errors the group identified include: Improper Resource Shutdown or Release (CEW-404), Cleartext Transmission of Sensitive Information (CWE-319), and Error Message Information Leak (CWE-209).
Patrick Lincoln, director of the Computer Science Laboratory at SRI International, acknowledges that even if all these errors were corrected or prevented, serious hackers won't be deterred. "The real dedicated serial attacker will probably find a way in even if all these errors were removed. But a high school hacker with malicious intent - ankle-biters if you will - would be deterred from breaking in," he told the BBC.
According to the SANS Institute, which organized the team effort, the list will impact everyone from employers to universities. The Institute claims software buyers will "will require that software vendors certify in writing that the code they are delivering is free of these 25 programming errors." Additionally, colleges will be in a better position to teach secure coding with the list as a starting point and programmers can use it to measure software security.
The SANS Institute says its goal in publicizing the list of errors is to increase security within the nation's Web-infrastrustructure.
Since many of the mistakes can leave sites vulnerable to to cyber crime, it's a good idea to peruse the list and make sure you don't have any security gaps in your systems. In fact, just two of the 25 errors account for more than 1.5 million security breaches last year.
Some of the errors the group identified include: Improper Resource Shutdown or Release (CEW-404), Cleartext Transmission of Sensitive Information (CWE-319), and Error Message Information Leak (CWE-209).
Patrick Lincoln, director of the Computer Science Laboratory at SRI International, acknowledges that even if all these errors were corrected or prevented, serious hackers won't be deterred. "The real dedicated serial attacker will probably find a way in even if all these errors were removed. But a high school hacker with malicious intent - ankle-biters if you will - would be deterred from breaking in," he told the BBC.
According to the SANS Institute, which organized the team effort, the list will impact everyone from employers to universities. The Institute claims software buyers will "will require that software vendors certify in writing that the code they are delivering is free of these 25 programming errors." Additionally, colleges will be in a better position to teach secure coding with the list as a starting point and programmers can use it to measure software security.
The SANS Institute says its goal in publicizing the list of errors is to increase security within the nation's Web-infrastrustructure.
Similar Threads
- News Story: ATM security leaves customers vulnerable to hackers (Network Security)
- Hmm? can any1 check this script for errors and CSS styling errors? (HTML and CSS)
- News Story: Ruby, Ruby, Ruby - Vulnerable, Vulnerable, Vulnerable (Ruby)
- Vulnerable? (Viruses, Spyware and other Nasties)
- hijack log mcinfo.exe errors/ drive errors/slow computer (Viruses, Spyware and other Nasties)
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest Network Security Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
adobe advice antivirus apple blackhat blogging botnet browser business c# china code conficker crime cybercrime daniweb data database dataloss development dns domains dos email emailretention encryption errors exploit facebook firefox fraud google government hack hacker hacking hardware ibm ie8 internet iphone ipod java kaspersky linux mac malware mcafee mckinnon microsoft mobile nasa news obama os outsourcing password patch paypal pdf pentagon phishing politics privacy programming report research satnav scam search security software softwaredevelopment spam spyware strider survey symantec symbian systemintegration terrorism trends trojan twitter typo-squatting ubuntu uk usb virus vista vulnerability warning web webmail windows windows7 worm xml xp zeroday
