Skip to main content

Cyber security alert: Top 25 software writing blunders

This article was published in Scientific American’s former blog network and reflects the views of the author, not necessarily those of Scientific American



On supporting science journalism

If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.


A new report warns that your computer software is probably less secure than you think. The SysAdmin, Audit, Network, Security (SANS Institute), a cooperative research and education organization in Bethesda, Md., that also provides computer security training, Monday released a reporting outlining the top 25 most dangerous errors that programmers make that may lead to security breaches and open the door to cyber crime and espionage.

Nonprogrammers probably won't glean much from the list, given that the errors listed have techy titles such as, "Improper Input Validation" and "Cleartext Transmission of Sensitive Information." Regardless of whether you understand what they mean, these problems affect much of the software that you use and potentially expose sensitive personal information to hackers.

Consider this scenario: you're buying a book online, but the Web site you're using was written with software containing some of these "top 25" errors. In laymen's terms, improper input validation means that a hacker can enter garbage data (random letters, numbers and symbols) into the fields on the Web site's "payment" page, causing that page to malfunction, possibly allowing hackers to access the credit card numbers (along with expiration dates) of the site's customers. The software code doesn't include instructions to check (or validate) whether data entered into a given field is realistic (for example, a 20-digit credit card number should be rejected right away). If the site transfers and stores data in "cleartext" (read: unencrypted), it commits another error on the list and makes the hacker's job even easier.

A handful of these programming mistakes led to more than 1.5 million Web site security breaches last year alone, according to SANS. The report notes that compromised computers were used to attack other poorly secured computers, creating a cascading effect that allowed untold numbers of PCs to be hacked.

Hacking causes businesses, government agencies and people in general major headaches on a daily basis. In 2001, British citizen Gary McKinnon allegedly hacked into NASA's computers, stole 950 passwords and deleted files at a naval base in New Jersey (responsible for replenishing munitions and supplies for the Atlantic fleet), costing the U.S. government $700,000, according to PC World. (It would have been much worse of McKinnon had planted viruses in these computers.) The U.S. is still fighting to have McKinnon—who claims he was searching for info to prove the U.S. government has knowledge of UFOs—extradited from the U.K.

Software writing has always been something of a black art, given the number of computer programming languages out there and the general lack of guidelines or architecture that programmers are required to follow, IBM fellow and self-proclaimed "software archaeologist" Grady Booch told Scientific American.com in June. Programmers are taught to get their creations to work, no matter what it takes. As a result, there is very little consistency from one program to the next.

Another problem: software writers in the 1980s and 1990s pushed to create more dynamic software that would attract new customers without much regard to security. Microsoft is a prime example of this and has spent the past decade shoring up its Windows operating system and other software that have become popular hacker targets. The emergence of the Web, and, with it, computers connecting into an unsecured public network exacerbated the problem by giving hackers remote access to their targets (they no longer had to sit in front of a computer in order to break into it).

The first step toward solving the problem, SANS director Mason Brown said in a statement, is "to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems."

Security experts acknowledge that improved software isn't going to prevent all cyber attackers but they say this is a good start. "The real dedicated serial attacker will probably find a way in even if all these errors were removed," Patrick Lincoln, director of the Computer Science Laboratory at SRI International, told the BBC. "But a high school hacker with malicious intent—ankle-biters if you will—would be deterred from breaking in."
Image: © iStockphoto.com; Sami Suni

Larry Greenemeier is the associate editor of technology for Scientific American, covering a variety of tech-related topics, including biotech, computers, military tech, nanotech and robots.

More by Larry Greenemeier