International security organisations have unveiled a
list of 25 common programming
errors that cause security vulnerabilities and expose IT users
to cyber attack.
Nine of the errors involve
insecure
interaction between software components, nine relate to
risky resource
management, and seven deal with
access
control.
The US-funded collaboration project is managed by the
Mitre and
Sans Institute and brings together security experts from more
than 30 global organisations.
The project is aimed at helping software producers to code more
securely by focussing on actual errors and providing information on
how to avoid them.
The project will also enable end user organisations to get
suppliers to certify their code is free of these programming
errors.
The Sans Institute said it was shocking that most of these
common security errors are not understood by programmers.
Programmers are not widely taught to avoid these errors and
commercial software producers seldom check for them.
Mason Brown, director at the Sans Institute, said software
producers need to make sure every programming team has processes in
place to find, fix or avoid these problems.
The impact of these errors is far reaching, said the Sans
Institute, with just two of them leading to more than 1.5 million
website security breaches during 2008.
At least one organisation is known to have paid 150% more than
the price of a software package to fix security flaws, according to
Sans Institute research director Alan Paller.