Coder's Top 25 Worst Bungles Enable Cyber Espionage and Cybercrime
High-profile organizations Including Microsoft, the NSA, the SANS Institute and Mitre have collectively issued a list of the top 25 most dangerous programming errors which committed by software writers that result in security bugs and enable cyber espionage and cybercrime.
The list was compiled by more than 30 experts from cyber security organizations in the U.S. and other countries.
Just two of the errors alone led to more than 1.5 million web site security breaches in 2008. The report states that those breaches in turn compromised the computer of people visiting those sites, turning the computer into so-called zombie machines. "In one case in 2008, more than 1 million Web sites were penetrated and infected and made to infect visitors' computers - and those were trusted sites like the United Nations, state government and others.
Insecure Interaction Between Components.
the nine programming mistakes under this heading include: Improper input validation, improper encoding or escaping output, failure to preserve SQL query structure, aka SQL Injection and failure to preserve Web page structure aka cross-site scripting. In the report , nine other errors fall under Risky Resource Management, and the seven fine error have been classified as Porous Defense issues.
Some of the consequences can be very significant. For example, the 'CWE-89: Failure to Preserve SQL Query Structure, said Richard Wang, U.S. Manager at SophoLabs.
Universities should be forced to teach and test all current programmers for secure coding skills and fill their gaps using the GAIC (Global Information Assurance Certification) Secure Software Programmer Test, Paller said.