A group of 30 computer organizations led by experts from the U.S. National Security Agency, the Department of Homeland Security, Microsoft and Symantec, the group published on Monday a blueprint outlining the 25 of the most dangerous software programming errors and how to deal with them.
The list represents the first time the industry has reached consensus on the worst things that can happen when software is being written.
More than just a list, however, the document could be used as a negotiating tool between buyers and software vendors, said Alan Paller, director of research with the SANS Institute, a security training group that spearheaded the work.
The list contains programming errors that enable cyber espionage and cyber crime, said Tony Sage, of the NSA’s information assurance directorate.
“Such a list allows the targeting of improvements in software development practices, tools, and requirements to manage these problems earlier in the life cycle, where they can be solved on a large scale and cost-effectively.” Sager said.
The errors are broken into three categories:
Insecure Interaction Between Components (9 errors)
Risky Resource Management (9 errors)
Porous Defenses (7 errors)
The report identified improper input validation as “the number one killer of healthy software.”
“Incorrect input validation can lead to vulnerabilities when attackers can modify their inputs in unexpected ways. Many of today’s common vulnerabilities can be eliminated, or at least reduced, using proper input validation,” the report said.
Other errors include:
• Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)
• Improper Encoding or Escaping of Output
• Failure to Constrain Operations within the Bounds of a Memory Buffer
• Use of a Broken or Risky Cryptographic Algorithm
• Hard-Coded Password
“This is a very comprehensive list of very often neglected errors and how to deal with them. It will be valuable for coders as well as non-technical department heads and managers who need a better understanding of programming issues,” said Howard Kiewe, senior research analyst specializing in application development at the analyst firm Info-Tech Research Group in London, Ont.
Kiewe said the list appeared to concentrate on Web application development and would be useful for programmers and organization working on online tools.
He said some of the listed errors are “pretty obvious, but you would be surprised to find out how often these basic mistakes are committed.”
For instance hard-coding passwords into software code is a common practice by programmers who want to make software testing easier. Unfortunately, the practice also makes it easier for hackers to crack the software, Kiewe said.
As many organizations face the challenges of the economic recessions, having a comprehensive guideline on how to avoid costly programming errors would be a valuable tool, according to David Senf, director of Security and Software Research at IDC Canada.
In some cases, Senf said, debilitating attacks such as SQL injections attacks can be traced to developer mistakes.
“Following a checklist such as this could spell the difference between a successful development process and having a hacker living in your software stealing personal and critical information for six months or more,” Senf said.
The authors of the list, however missed one “glaring issue” according to another industry insider, Michael Bolton a specialist in rapid software testing and founder of DevelopSense, a Toronto-based program management, testing and configuration management services firm.
“I think they missed the most serious problem. People tend to focus on fixing technical problems to make sure the software works, but they fail to identity if the program actually does something useful,” Bolton said.
He said the researchers reached a consensus quickly because leaders in the programming, testing, and security communities at large “have known about these kinds of problems for years, and we’ve known about how to fix them, too.”
However, Bolton said, not much is done about persistent programming errors, because organizations do not focus on quality as a relationship between the product and its users.
“The top priorities, it seems to me, are usually considered to be availability or time to market, and the cost of developing or purchasing the software. Managers have problems that they want to solve, and they want to solve them right now at the lowest possible cost,” he said.
“It’s entirely possible to create a program that is functionally correct, robustly secure, splendidly interoperable, and so forth, but people might still hate it. Vista was a flop because it makes people think they’re being pecked to death,” Bolton said.