Experts from more than 30 U.S. and international cyber security organizations, including the National Security Agency and the Department of Homeland Security's National Cyber Security Division, have just released a list of the 25 most dangerous programming errors that can lead to security bugs and enable cyber crime.
The panel of experts - including thought-leaders from Symantec, Microsoft and Purdue University - worked since last September on this project, breaking down the 25 errors into three categories:
The impact of these errors is far reaching. In 2008 just two of them led to more than 1.5 million web site security breaches - cascading onto the computers of people who visited those web sites, turning their computers into zombies.
Coming at a time when banking regulators are focusing more on application security, this list gives banking/security leaders a place to start when assessing the security of their own applications, as well as those developed and managed by vendors.
"An institution can hand this list to their in-house programming staff, software vendors, and third-party service providers and say, 'Are you looking for these 25 errors,'" says Robert Martin, CWE Project Leader at MITRE, who coordinated the work done to develop the list. The SANS Institute and MITRE managed the initiative.
The Top 25 web site (cwe.mitre.org/top25/) provides detailed and authoritative information on mitigation. "Now by using the Top 25 we can spend less time working with police after the house has been robbed, and instead focus on getting locks on the doors before it happens." says Paul Kurtz, a principal author of the US National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode).
The Business Value of Secure Software
For many years, organizations have wrestled with the problems of creating secure software, and often learned the hard way, through system failure and breaches, before finding and fixing the bugs. These bugs exist typically because many of the computing errors aren't well understood by programmers who write code, students aren't taught how to avoid them, and the presence of these errors is not frequently tested by companies that develop software.
With this new list, institutions now have a security benchmark, Martin says. "[It's] something tangible, a measurable target that institutions can take action on to show progress on those high level directives from agencies that ask for application security to be strengthened," he says.
Should an institution meet and vet all of their software and applications of these 25 errors, the level of the institution's security will absolutely go up, Martin says. "It doesn't mean they're going to be invulnerable, but the weaknesses covered in the top 25 represent a huge attack surface."
Among the constituencies expected to benefit from the top 25 list:
Financial Industry Reaction
Industry experts see the Top 25 list as a positive step toward proactively improving application security.
"The researchers did an excellent job of cataloguing the top 25 errors, as well as providing resources to eliminate them," says Avivah Litan, a Gartner Group Distinguished Analyst. "I think there is good reason to be optimistic on this initiative."
With the added awareness that the Top 25 Errors will bring, Litan sees that old applications with vulnerabilities can be remediated and new ones can be developed to close the weak spots upfront before the software is operational. However, she cautions, "The main challenge will be getting this information into the right people's hands and making sure they pay attention to it."
Echoing Litan's optimism is Stephen Katz, former CISO at Citigroup and Merrill Lynch. "Coming up with sound, secure programming techniques is so desperately needed," he says. "Teaching people how to code securely is only overdue by about 20 years."
The focus of securing software and applications hasn't been a top priority at financial institutions because of the onerous tasks that confront them, "but hopefully this Top 25 Error list will make it a priority," Katz says.