America’s two leading government security departments have funded a list of the 25 most dangerous mistakes which software developers make. The aim is to translate the list into a set of minimum standards for organisations to demand when buying software.

The list is produced by the SANS Institute, an international computer security research and consultancy group, but brings together input from 30 organisations including security experts and software producers. Both the National Security Agency and the Department of Homeland Security funded the project.

The logic behind the project is that most security flaws are simply variations on common themes and that it’s much more effective for developers to avoid leaving such holes in software in the first place than it is to patch individual flaws as they arise. Alan Paller, the director of SANS institute, says the goal should be for developers to “bake in” security rather than users “bolt on” fixes later on.

Some of the errors are pretty obvious security errors such as hiding a secret account and password in a program’s code, using an unreliable system for encrypting data, or using a security measure based on random numbers but making it so simple that these numbers actually become predictable.

There were also some problems based around flaws in the way computers operate, such as using programming languages which are susceptible to buffer overflows. That’s where a hacker is able to put more information into a section of a computer memory than will fit, with the excess data flowing into – and giving control of – memory allocated to other applications.

But the report pegs a less high-profile issue as “the number one killer of healthy software”: improper input validation. It gives the ultra-simplified example of a program which expects a user to type in a number, but doesn’t prevent them entering a letter. That example might not sound risky, but the report insists developer stick to the principle of assuming all inputted data could be a hacking attempt and thus only accepting it when it meets the expected format and content.

Those behind the project hope it will allow corporations and government departments to refuse to buy any software unless it is free from the listed errors.

Related:

Entry was posted on Monday, January 12th, 2009 at 1:55 pm under Hacking, Security.

Read more entries by John Lister.
Stumble It!