A new report backed by the United States Department of Homeland Security was released yesterday, and it looks like many of the high-profile hackings over the past year were preventable. The 2011 edition of the annual CWE/SANS Top 25 Most Dangerous Software Errors lists some of the most widespread errors that make for serious vulnerabilities. According to the report, these errors "are often easy to find, and easy to exploit." The top of the list this year includes SQL injections, buffer overflows, cross-site scripting attacks and cross-site request forgeries.

Also mentioned is the failure to encrypt sensitive data, which is typically the culprit in major breaches, like that of Groupon's Indian subsidiary, which led to the leaking of 300,000 logins. The irony is that many of these problems can be fixed at relatively low cost, or wouldn't have been a problem in the first place if programmers were trained more in security. According to Alan Paller, director of research at SANS, programmers are generally not held accountable for vulnerabilities, and the process of reviewing their work is uneven. A good testing and review process can help protect companies from hackers and keep them from having a victim mentality.

For more:
- read the report (.pdf)
- check out this article at The Financial Times
- check out this article at PCWorld

Related Articles:
Network security: Pay now or pay later
Citigroup breached by simply altering URL; now admits 360k accounts hacked
Lockheed Martin confirms intrusion, shuts down remote network access