Fortify Software, provider of products that identify and remediate security vulnerabilities in software to mitigate enterprise security risk, today announced that it has contributed an extensive classification of software security errors to the non-profit Open Web Application Security Project (OWASP). The classification of 115 security vulnerability categories will help software developers and security practitioners understand the common coding mistakes that affect software security and more readily identify security problems. OWASP will help manage the research from Fortify Software as part of the organization's library of free, unbiased open source documentation, tools and standards.

"OWASP is assembling the most comprehensive guide to application security principles, threats, attacks, vulnerabilities, and countermeasures ever attempted," said Jeff Williams, chairman of OWASP. "Integrated with the rest of our materials, Fortify Software's vulnerability research will help anyone acquiring, designing, building, testing, or deploying critical applications make informed decisions about application security."

The classification of software security errors entitled the "Seven Pernicious Kingdoms" organizes security vulnerabilities into seven top level sets of security problems that can be used to help software developers understand the types of coding errors that can increase security risk. By better understanding how systems fail, developers will better analyze the software they create, more readily identify and address security problems when they see them, and generally avoid repeating the same mistakes in the future.

"When put to work in an analysis tool, a set of security rules organized according to this classification is a powerful mechanism for reducing security risk," said Dr. Brian Chess, Chief Scientist at Fortify Software. "Software development practices have only just begun to look at the myriad of ways security problems factor into coding -- making a classification like this available should provide tangible benefits to the software security community."

Together with a research team that included Katrina Tsipenyuk of the Fortify Security Research Group and Gary McGraw, the chief technology officer of Cigital, Dr. Chess identified 115 security vulnerability categories present in today's software and organized them in top-level "kingdoms" which include:  Input Validation and Representation,  API Abuse,  Security Features, Time and State, Errors, Code Quality, Encapsulation