5. Buffer overflows: Miscreant is allowed to input so much data that memory gets junked up and starts accepting malicious commands.

6. Command injection flaws: User’s Web application executes malicious commands because it doesn’t know any better.

7. Error-handling problems: Error messages give away information?for example, "ODBC Error" signals that a SQL injection (such as the SQL Slammer) is possible.

8. Insecure use of cryptography: Use of homegrown, weak cryptography is easily compromised by professional bad guys.

9. Remote administration flaws: Web apps allow remote control of machines on a known port with predictable default configurations, making hacking child’s play.

10. Web and application server misconfiguration: Unused features that leave ports open make servers vulnerable.

SEI studied 2,500 software products and 56,000 security incidents, and found the vast majority of problems are caused by those defects. Buffer overflows alone account for 40 percent to 60 percent of incidents, says CEO Steve Cross. What’s more, the flaws are, from a coding perspective, simple to fix.

"The thing that frustrates me is people think that since the problem is so prevalent, it must be complex," says Cross. "It’s not. If the public understood that any freshman computer science student knows how to fix these problems, there would be an outcry. And there should be."

The trick with code defects is to find them. A million-line software program, which is about the size of the average CAD/CAM package, comprises 20,000 pages of text. Finding errors?even in poorly written programs that will have two or so errors per page?is like finding needles in a binary haystack. And, once you do find the vulnerabilities, you have to make sure the fix doesn’t break anything else.

This used to provide a reasonable excuse for letting bad software practices continue. But a new class of application scanning software is emerging that makes the process of finding flaws almost trivial.

How to Take Responsibility for More Secure Software

Scan Everything...

Application scanning is based on the proposition that programming errors are reasonably predictable and limited, even if their consequences are not. (See "Application Scanning Vendors and Products," Page 68, for eight top scanning tools on the market.)

Once you buy (one large insurance company recently paid $120,000) and then train your developers and IT staff to use the application (which should take anywhere from two days to two weeks), plan to use it in two ways.

First, make app scans a mandated part of all application audits. Whether it’s internally developed code or third-party software, create a checkpoint at which an application must contain fewer than a certain number of bugs, with all egregious errors eliminated.