Experts reveal top 25 programming blunders

 

Gallery

By Barry Collins

Posted on 13 Jan 2009 at 09:26

A forum of the world's leading security experts has published the top 25 most dangerous programming errors.

The group, spearheaded by the US National Security Agency, hopes that exposing the programming flaws will result in more secure software and better teaching of computing students.

"Now, with the top 25, we can spend less time working with police after the house has been robbed and instead focus on getting locks on the doors before it happens," says Paul Kurtz, a principal author of the US National Strategy to Secure Cyberspace.

Experts from Microsoft, Oracle and Symantec were amongst the panel of more than 30 security specialists. The group reportedly agreed on the top 25 flaws relatively quickly, although not before "some heated discussion".

The group hopes that corporate buyers will demand written assurances that software is free of all 25 bugs before making purchases in the future. "Certification shifts responsibility to the vendor for correcting the errors and for any damage caused by those errors," claims the SANS Insitute, which managed the top 25.

Whether software companies will be prepared to accept such liability awaits to be seen.

The top 25 errors include failure to control code injection (which has been responsible for many high-profile attacks over the past 18 months), improper access controls and use of broken cryptography algorithms.

The full list of the top 25 errors is available here. The list will be regularly updated.