Foreign Policy Blogs

25 Poisonous Bugs

1365045226_4e46522658With abstract metaphors of cybersecurity involving foreign invaders or hacker burglaries, it is easy to forget that almost all security breaches come about because of actual human mistakes made while programming software or web sites.

It’s almost as if your architect, working in a slapdash manner, designed your house such that anyone could easily get in by crawling through an opening behind the fireplace. And every house in your neighborhood had the same problem. And people had been warning your architect that he had been making the same mistake for years.

An alliance of security analysts and government agencies teamed up to deliver 2010’s list of the top programming errors.

The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped.

We talk about hack attacks as if they a Predator drone strike or God with his finger on the Smite button – if the enemy has the will and the technology, there’s not much that can be done can do to stop it.

Untrue.

If hackers break into your system because Microsoft keeps not fixing bugs, then it is Microsoft’s fault.

Since software developers have no legal liability, there is no financial incentive -apart from reputational costs – for a company to spend the extra money and time to get their programming right the first time.

One of the most critical things that Congress and the government can do to save us from the bad guys is to put the right incentives in place for private companies to get their security right – before it gets hacked.