I usually spend a lot of time on BBC.co.uk (so rescuetime tells me anyhow) each day and while on it today I came across an interesting piece in the technology section relating to the publication of a near universially agreed document which lists the top 25 programming errors that us so called professional developers occasionally let creep into our systems & applications.
According to the The SANS Institute (a leading contributor to the document) who issued a press release yesterday (12th Jan 09):
the impact of these errors is far reaching with just two of them leading to more than 1.5 million web site security breaches during 2008.
Contributors to the document who include SANS, MITRE, Microsoft, the US National Security Agency, the Department of Homeland Security and Symantec believe it will have four major impacts:
- Software buyers will be able to buy much safer software.
- Programmers will have tools that consistently measure the security of the software they are writing.
- Colleges will be able to teach secure coding more confidently.
- Employers will be able to ensure they have programmers who can write more secure code.
In regards to the 3rd point above I know that with the exception of a passing remark or two about the need to validate input I was not taught a lot about writing secure code during my computer science degree in college. I think in this day and age (Web based/Cloud Computing), teaching secure coding is the way to go so I think this list will definitely help.
Reading through the list, I notice a lot of the usual suspects are listed such as input validation, cross site scripting, SQL injection and that old chestnut hard-coded passwords which I must admit gave me a chuckle just by its very inclusion in such a list, but I guess if developers are still doing this then it must be included.
The fairly detailed press release from SANS is available at http://www.sans.org/top25errors/ while the document itself is located at http://cwe.mitre.org/top25/. There’s a printable PDF version available too which I suggest every software development manager or team leader makes compulsory reading for his or her programmers.