from WashingtonPost.com:

Programmers can’t be expected to catch every single flub, but consider the evidence collected by Rohit Dhamankar. He spends hours poring over the CVE database in his role as senior manager of security research at security vendor TippingPoint. Dhamankar found that about 85 percent of those security flaws stem from three well-understood and avoidable programming errors.

The most common of the errors occurs when applications or Web sites accept input from the user — usually from something like a search box or e-mail form — but do not properly filter the data to remove or prevent potentially malicious code. Attackers often use the lack of such precautions to force Web sites to cough up customer data from their back-end databases.

Bad guys also can use poor input filtering to exploit “cross-site scripting” vulnerabilities or XSS. These flaws allow crooks to bypass security controls or conduct sneaky attacks against Internet users through their Web browser.

Phishers love cross-site scripting flaws. They can employ them to make their scam sites more convincing by forcing a targeted financial institution’s Web site to load content from a site that the attackers control. In such a scenario, phishers send e-mail lures that instruct recipients to click on a link and update their account information. Instead of directing them to a purely fraudulent site — such as the hacker’s copy of a real login form — the link puts the visitor on the bank’s actual Web site, giving it a legitimate URL. The page, however, has been manipulated to display content controlled by the attacker.

Last year, phishing gangs were spotted using a cross-site scripting flaw on PayPal’s Web site to trick people into revealing their login credentials. Around that time, Security Fix worked with Secure Science founder and phishing expert Lance James to locate dozens of cross-site scripting flaws on the Web sites of major financial institutions.

Cyber criminals also can use cross-site scripting to directly attack third-party Web sites. Security Fix spent most of the weekend camped out at the ShmooCon hacker conference here in Washington. One of the more unnerving talks came from Billy Hoffman, a researcher with Web site vulnerability company SPI Dynamics. Hoffman showed how attackers were able to dupe users into visiting a specially crafted link. The attackers then could use cross-site scripting to force the user’s browser to silently scan any public Web site for known security holes.

And now they have found a solution to nip the problem in the bud even before a software is churned out by manufacturers: a new programmers’ exam that would test their secure programming skills.

From Slashdot.com an anonymous reader writes:

“The SANS Software Security Institute, in conjunction with organizations such as Siemens, Symantec, Juniper, OWASP, and Virginia Tech, has announced a program for testing whether programmers know how to write secure code. The Secure Programming Skills Assessment is split into separate language families (C/C++, Java/J2EE, Perl/PHP, and ASP/.NET). Director of research Alan Paller says ‘This assessment and certification program will help programmers learn what they don’t know, and help organizations identify programmers who have solid security skills.’ The pilot exam will be held in Washington DC in August, followed by a global rollout.”

This will certainly get rid of those pesky bugs and vulnerabilities end users had to contend to. Make it worth our money boys! We expect only the best, most secured software from companies like Microsoft.

However, if software is made bugless… will there be less frequent updates? Will there be less “new” versions being churned out by the year? I hope so.