Tech project finds Top 25 coding flaws that let hackers in

— -- A diverse group of technologists on Monday issued a list of the top 25 computer coding errors that lead to 85% of the criminal activity on the Internet.

The list is being hailed as a major breakthrough that should gradually make the Internet much safer. "When consumers see that most vulnerabilities are caused by a mere 25 weaknesses, a new standard for due diligence … is likely to emerge," says Konrad Vesey, a member of the National Security Agency's Information Assurance Directorate.

The flaws in question are common coding errors that continue to turn up in software applications that run Web browsers, media players, and website computer servers. Such errors also are commonly found in the networking and database programs that support Internet communication and commerce.

It took an unusual project that cut against the grain of the intensely competitive tech industry to compile a list of errors that cybercriminals most often seek out to steal data and commit fraud. Experts from Microsoft, Oracle, EMC and Apple collaborated with the NSA, the Department of Homeland Security and representatives from tech security firms, universities and industry groups — 37 organizations all told — to compile the list.

They now expect software developers to begin crafting new programs that take the top 25 flaws into account. Colleges are expected to begin shaping curricula that teach how to eradicate the top 25 errors. And the federal government will begin requiring software free of such flaws.

Positive effects will accelerate if companies begin using the list as a baseline for cleaning up existing systems, says Robert A. Martin, principal engineer at Mitre, a non-profit research firm.

"We can slow the introduction of new pollutants," says Martin.

The most active cybergangs are using tried-and-true techniques to search out Web applications containing the top flaws; they use simple tricks, such as overloading a poorly written program with too much input, to crack in.