Thursday, August 28, 2014
Search
  
Submit your own News for
inclusion in our Site.
Click here...
Breaking News
UMC To Partner With Fujitsu On Chip Production
Samsung, LG Introduce New Smartwatches
Sharp, Pioneer Dissolve Their Capital Alliance
Nero 2015 is Coming At IFA
LaCie Ships the 48 TB Thunderbolt 2 Storage Solution
ALCATEL ONETOUCH Launches New Affordable Smartphones
ZOTAC Debuts the ZBOX PI320 pico
Dropbox Now Offers 1TB Pro plan for 10 Dollars
Active Discussions
help questions structure DVDR
Made video, won't play back easily
Questions durability monitor LCD
Questions fungus CD/DVD Media, Some expert engineer in optical media can help me?
CD, DVD and Blu-ray burning for Android in development
IBM supercharges Power servers with graphics chips
Werner Vogels: four cloud computing trends for 2014
Video editing software.
 Home > News > General Computing > Experts...
Last 7 Days News : SU MO TU WE TH FR SA All News

Tuesday, January 13, 2009
Experts Announce the 25 Most Dangerous Programming Errors - And How to Fix Them


Experts from more than 30 US and international cyber security organizations jointly released the list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime.

The list was spearheaded by the National Security Agency.

"Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale," SANS Institute said in a press release.

The impact of these errors led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies.

People and organizations that provided input to the project are among the most respected security experts and they come from leading organizations ranging from Symantec and Microsoft, to DHS's National Cyber Security Division and NSA's Information Assurance Division, to OWASP and the Japanese IPA, to the University of California at Davis and Purdue University.

Until now, most guidance focused on the 'vulnerabilities' that result from programming errors. The Top 25, however, focuses on the actual programming errors, made by developers that create the vulnerabilities. As important, the Top 25 web site provides detailed information on mitigation. "Now, with the Top 25, we can spend less time working with police after the house has been robbed and instead focus on getting locks on the doors before it happens." said Paul Kurtz, a principal author of the US National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode).

The list might help improve the quality of programming classes and training programs by creating consensus about what the most common mistakes are and what developers can do to prevent them.

The errors have been broken into three categories labeled insecure interaction between components (nine errors), risky resource management (nine also) and porous defenses (seven). Mistakes include improper input validation, external control of external state data and improper access control.

Resources to Help Eliminate The Top 25 Errors

The TOP 25 Errors List will be updated regularly and will be posted at both the SANS and MITRE sites www.sans.org/top25 cwe.mitre.org/top25/

MITRE maintains the CWE (Common Weakness Enumeration) web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. That site also contains data on more than 700 additional programming errors, design errors and architecture errors that can lead to exploitable vulnerabilities. cwe.mitre.org/

SANS maintains a series of assessments of secure coding skills in three languages along with certification exams that allow programmers to determine gaps in their knowledge of secure coding and allows buyers to ensure outsourced programmers have sufficient programming skills. Organizations with more than 500 programmers can assess the secure coding skills of up to 100 programmers at no cost.


Previous
Next
Toshiba to Buy Fujitsu's Hard Drive Business        All News        Microsoft Resumes Windows 7 Downloads
Blockbuster and Sonic/CinemaNow Team for Internet Movie Delivery     General Computing News      Microsoft Resumes Windows 7 Downloads

Get RSS feed Easy Print E-Mail this Message

Most Popular News
 
Home | News | All News | Reviews | Articles | Guides | Download | Expert Area | Forum | Site Info
Site best viewed at 1024x768+ - CDRINFO.COM 1998-2014 - All rights reserved -
Privacy policy - Contact Us .