A media event in Washington, D.C., will probably include the disclosure of 25 of the most dangerous programming errors, as experts from more than 30 U.S. And international cyber security organizations have compiled a list. This was made with the help of big companies, such as Apple, Microsoft, Oracle, Red Hat and Symantec. It is managed by The SANS Institute and Mitre, and funded by the US Department of Homeland Security's National Cyber Security Division and the US National Security Agency (NSA).

The government sponsored this software assurance initiative. By publicizing these common programming errors, the participants want to make software code more secure. Just two of them, though, have led to more than 1.5 million security breaches in 2008. Furthermore, the organizations and companies also want to make software more secure for buyers, by requiring that vendors certify their software is free of these top 25 errors.

They want to incorporate awareness of these errors into software testing tools, provide information necessary for educators to teach more secure programming techniques and provide a guide for employers to determine the abilities of programmers to write code free of these errors. It remains to be seen if they will manage to accomplish all of these goals.

The first two errors on the Top 25 are improper input validation and improper output encoding. In 2008, hundreds of thousands of generally trusted Web pages were modified to serve malware by automated programs that burrowed into databases using SQL injection. Why did this type of attack work? Well, it's simple, countless programmers made the exact same mistake in their software. Back in 2005, a teenager used a cross-site scripting attack to create a worm that hit the profiles of over 1 million MySpace users in less then a day.

It became quite clear that there is need for a list of programming errors that enable cyber espionage and cyber crime, which represent an important turn in software security awareness from a system administrator-centered view to a software engineering-centered view.

The list is divided into three categories of programming errors: Insecure Interaction Between Components (nine errors), Risky Resource Management (nine errors) and Porous Defenses (seven errors). The list should help improve the quality of programming classes and training programs by creating consensus about what the most common mistakes are and what developers can do in order to prevent them.

Hopefully, programmers will manage to avoid these errors in the future, in order to make Internet a safer environment for all of us. The state of New York is already using the list to adjust contract language with software vendors, according to a press release.