International security organisations have updated and restructured a list of 25 common programming errors that cause security vulnerabilities and expose software users to cyber attack.
The US-funded collaboration project, which is managed by the Mitre and Sans Institute and brings together security experts from more than 30 global organisations, first compiled its list of 25 risky coding practices in January 2009.
The structure of the list has been modified to make it easier to use by distinguishing mitigations and general secure programming principles from more concrete weaknesses, the organisations said.
This year's top 25 entries are prioritised using inputs from more than 20 organisations, which evaluated each weakness based on prevalence and importance.
Cross-site scripting tops the list, which aims to help businesses improve their software procurement by requiring code to be free of these errors.
The goal is to force suppliers to test the security of their software and to provide customers with their test results. No one likes to share test results that show them writing bad code, said Alan Paller, director of research at the Sans Institute.
New York State is changing its procurement language to ensure that the top 25 errors are avoided, with other states expected to follow.
The integrity of hardware and software products is a critical element of cybersecurity, the Office of the Director of US National Intelligence said.
Creating more secure software is a fundamental aspect of system and network security and the top 25 programming errors initiative is an important component of an overall security initiative for our country, it said.
"We applaud this effort and encourage the utility of this tool through other venues such as cyber education," it said.
No comments:
Post a Comment