A group of over 30 organizations including the Department of Homeland Security, Microsoft, and Symantec collaborated recently on a security project designed to identify the top 25 coding errors programmers make when building Web sites.
Since many of the mistakes can leave sites vulnerable to to cyber crime, it's a good idea to peruse the list and make sure you don't have any security gaps in your systems. In fact, just two of the 25 errors account for more than 1.5 million security breaches last year.
Some of the errors the group identified include: Improper Resource Shutdown or Release (CEW-404), Cleartext Transmission of Sensitive Information (CWE-319), and Error Message Information Leak (CWE-209).
Patrick Lincoln, director of the Computer Science Laboratory at SRI International, acknowledges that even if all these errors were corrected or prevented, serious hackers won't be deterred. "The real dedicated serial attacker will probably find a way in even if all these errors were removed. But a high school hacker with malicious intent - ankle-biters if you will - would be deterred from breaking in," he told the BBC.
According to the SANS Institute, which organized the team effort, the list will impact everyone from employers to universities. The Institute claims software buyers will "will require that software vendors certify in writing that the code they are delivering is free of these 25 programming errors." Additionally, colleges will be in a better position to teach secure coding with the list as a starting point and programmers can use it to measure software security.
The SANS Institute says its goal in publicizing the list of errors is to increase security within the nation's Web-infrastrustructure.