Earlier on this year, a report from SANS institute showed that two of the twenty five most dangerous programming errors, led to more than 1.5 million website security breaches in 2008. The report is a joint effort from more than 30 US and international cyber security organizations, such as CERT, Red hat and Department of Homeland Security. The programming errors have been categorized in three categories;
- Category: Insecure Interaction between Components (9 errors)
- Category: Risky Resource Management (9 errors)
- Category: Porous Defenses (7 errors)
As SANS Director Mason Brown said, every programming team must have the processes in place to find, fix, or avoid these problems and have the tools needed to verify their code is as free of these errors, as automated tools can verify.
From this report, one can clearly conclude that security awareness and secure coding training are indeed a must. Also, programmers need automated testing tools to help them measure the security of the software they are writing and automatically train them to write secure code, since unfortunately, most of the errors are not well understood by the programmers themselves.
Read the full SANS’s report here.