A new report that details the 25 top programming errors is likely to drive federal and state agencies to demand vendors provide more secure programs – and vendors to step up their game.
The Top 25 initiative was launched by the National Security Agency to improve Defense Dept. purchases. It was funded by the Dept. of Homeland Security and managed by the SANS Institute and MITRE Corp.
More details at the SANS site.
"The publication of a list of programming errors that enable cyber espionage and cyber crime represents an important turn in software security awareness from a system administrator-centered view [of] detect, respond, patch, to a software engineering-centered view [of] design, implement, verify," said Konrad Vesey, information assurance directorate of the National Security Agency.
Errors fall into three groupings:
- Insecure Interaction Between Components includes improper input validation and output encoding, errors that enable attackers to modify the programming code and ultimately hijack applications.
- Risky Resource Management involves core application components. Downloading code without an integrity check is an example here.
- Porous Defenses includes errors in locking down code, such as failure to create access controls that check that users who modify software have the proper authorization.
State governments responded enthusiastically.
This is a serious priority in New York," said Will Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination, and chair of the Multi-State Information Sharing and Analysis Center. He plans to incorporate the Top 25 list into standard procurement language he developed for New York.
"This gives us all at the programming level 25 actions we can take today to eliminate the most common errors that, frankly, keep me up at night," Pelgrin said. "My life gets easier as people start taking this seriously."