Security Wonks List Coders' Top 25 Worst Flubs

A report issued Monday purports to detail the 25 most dangerous programming errors committed by software writers that result in security bugs and enable cyber espionage and cybercrime. The list was compiled by more than 30 experts from cyber security organizations in the U.S. and other countries.

Experts from the Computer Emergency Response Team (CERT), the non-profit technology resource Mitre, the National Security Agency and the Department of Homeland Security's National Cyber Security Division, Symantec (Nasdaq: SYMC), Microsoft (Nasdaq: MSFT) and the Japanese IPA, among others, named the errors, according to Mason Brown, director of the SANS Institute, which helped coordinate the project.

Just two of the errors alone led to more than 1.5 million Web site security breaches in 2008. Those breaches in turn compromised the computers of people visiting those sites, turning the computers into so-called zombie machines, the report states.

"[The mistakes] are huge. They are the underlying reason for almost all the patches we end up having to install on computers all over the world, and they enable the vast bulk of cybercrime and cyber espionage," Alan Paller, director of research at the SANS Institute, told TechNewsWorld.

"In one case in 2008, more than 1 million Web sites were penetrated and infected and made to infect their visitors' computers -- and those were trusted sites like the United Nations, state government and others. That was cause by errors 1 and 2 on the list," he continued.

Error Message

Topping the list are errors dubbed "Insecure Interaction Between Components." The nine programming mistakes under this heading include: Improper input validation, improper encoding or escaping output, failure to preserve SQL query structure, a.k.a. SQL injection, and failure to preserve Web page structure aka cross-site scripting.

"Some of the consequences can be very significant. For example, the 'CWE-89: Failure to Preserve SQL Query Structure (a.k.a. SQL Injection)' is a flaw that has been used to inject malicious code into many thousands of Web sites. The technique has been known for many years but was used extensively by hackers in 2008 to spread malicious software and spyware using hacked Web sites, said Richard Wang, U.S. Manager at SophosLabs.

In the report, nine other errors fall under "Risky Resource Management," and the seven final errors have been classified as "Porous Defense" issues.

"Some of the errors in the list relate to organizational behavior and policy; for example, 'CWE-250: Execution with Unnecessary Privileges.' Implementing and enforcing procedures to change the insecure behavior of a network's users, and administrators can help to reduce the risk of compromise," Wang noted.

Needed: Defense Against the Dark Arts Class

The report found that most of the errors that have been identified are not well understood by programmers, who are generally not taught by university computer science programs how to avoid such mistakes. Also, the presence of these errors is not frequently tested by organizations developing software for sale.

"Ten years ago, computer crime was not a big thing. So nearly all the teachers and most of the current patch programmers learned to code when they didn't have to worry about hackers. Now they do, but their teachers don't know how and they are uncomfortable teaching it," Paller explained.

The economic impact on an organization can be significant. A security breach can mean loss of intellectual property or loss of confidential data. Cleaning up after a data breach can be expensive, as is the process of notifying those who may have been affected. There are both financial and customer confidence costs, said Wang.

As organizations struggle to cope with the constant onslaught of security vulnerabilities that are a result of these mistakes, billions of dollars are wasted patching errors and testing patches to clean up after an infection, Paller noted.

"More billions of dollars [have been lost] to cybercrime," he added.

Still Hope

All hope, however, is not lost. While these mistakes are prevalent, there are several remedies.

Universities should be forced to teach and test all current programmers for secure coding skills and fill their gaps using the GIAC Secure Software Programmer Test, Paller said.

Second, "test all software using automated source and binary code testing tools. No. 3, write contracts that require developers to fix the errors and take financial responsibility for the ones they miss. Once the software writers are responsible for losses from these errors, they will do 1 and 2," he suggested.

There are several remedies, Wang agreed, but added that as with most security problems, there is "no silver bullet." Organizations must ensure the software they use is developed with security in mind, whether the software is off-the-shelf or custom built.

"If the software has access to your data or your network, then security flaws in that software could give hackers access to your data and your network. If your organization develops software, make sure that your developers are aware of these programming errors. Even if the software they are developing is not security-related, any software could potentially be used by hackers to obtain or increase their access to a network," he explained.

Organizations should ensure that the software they use is up-to-date and fully patched. This applies to applications as well as operating systems (OSes). As OS developers have improved their security patch distribution methods, hackers have targeted applications, which may be less frequently updated. Web browsers, another access point, provide conduits between a potentially dangerous Web site and any application that the browser can start on the desktop.

"For example, flaws in media players, image viewers or document reading software could be exploited via a Web browser used to launch those applications," Wang continued.

"It is sadly the case that someone else's programming error, whether in a Web site or application, can cost you. Organizations must understand the risks they face and have layered security solutions in place so that a single flaw does not expose the entire organization," he concluded.