GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Industry self-policing: A lofty goal?

Patti Murphy
ProScribes Inc.

News

Industry Update

Federal Reserve sets debit interchange at 21 cents

Visa to update forecast after Fed sets debit interchange

More regs, requirements from FFIEC, PCI council

Fraudsters nailed, proactive security initiatives needed

The 25 most dangerous software errors in 2011

Features

Wal-Mart wants to bank the underserved

Patti Murphy
ProScribes Inc.

Microfinance and profits

Patti Murphy
ProScribes Inc.

Electronic billing for SMBs

The three R's of text message marketing

Pal Flagg
Street Savings

ISOMetrics:
Breaches across America

Selling Prepaid

Prepaid in brief

Is the new AmEx prepaid card a game changer?

Case study: Prepaid electricity metering

Views

Are you ready for the NFC paradigm shift?

Scott Henry
VeriFone Inc.

Education

Street SmartsSM:
Networking groups and referral marketing - Part 1

Bill Pirtle
MPCT Publishing Co.

Use communication to cut merchant attrition

Jeff Fortney
Clearent LLC

Finding the right payment processor

John Barrett
First Data Corp.

Social media: Putting your company's best face forward

Peggy Bekavac Olson
Strategic Marketing

What is my portfolio worth anyway?

Adam Atlas
Attorney at Law

Company Profile

Capital Access Network Inc.

New Products

Award winning loyalty technology

Paycloud
SparkBase

Less churn, more earn in health care

Revenue Maximizer
TransEngen Inc.

Inspiration

Make children your business

Departments

Forum

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

July 11, 2011  •  Issue 11:07:01

previous next

The 25 most dangerous software errors in 2011

Department of Homeland Security officials joined the Systems Administration, Networking and Security Institute and the MITRE Corp's. Common Weakness Enumeration to release the 2011 list of most widespread, critical errors found in software, which itemizes the 25 most common programming errors that are used to breach critical stored data.

SANS Institute Director of Research Alan Paller called the report "the major first step to protecting" personal information stored by small and medium-sized organizations. The list developers claim software vulnerabilities are easily located, easily exploited and dangerous because they often allow attackers to take over a system, steal data or disrupt software completely.

The goal of the list is to help software manufacturers identify and prevent common vulnerabilities, educate consumers and help researchers focus on aspects of security weaknesses. Software executives can use the list to assess their progress in securing their products.

The report is a collaboration among the SANS Institute, MITRE and security experts in the United States and Europe. MITRE built and maintains the CWE website with funding from the U.S. Department of Homeland Security's National Cyber Security Division. The top 25 list is prioritized using the findings from more than 20 organizations that evaluated the weaknesses according to prevalence, importance and likelihood of the weakness to be exploited. This evaluation is called the common weakness scoring system (CWSS).

SQL attacks top the list

Number one on the top 25 list is attacks on the search and query language (SQL) of software systems. "If you use SQL queries in security controls such as authentication, attackers could alter the logic of those queries to bypass security," the authors noted.

"They could modify the queries to steal, corrupt or otherwise change your underlying data. They'll even steal data one byte at a time if they have to, and they have the patience and know-how to do so. In 2011, SQL injection was responsible for the compromises of many high-profile organizations, including Sony Pictures, PBS, MySQL.com, security company HBGary and many others."

To prevent or mitigate these attacks the authors recommend using a vetted library or framework that blocks this weakness or makes the weakness easier to avoid.

They also recommend structured mechanisms that automatically separate data and code and running code using the lowest privileges required to accomplish the needed tasks.

The entire list of vulnerabilities and fixes can be seen at http://cwe.mitre.org/top25. The collaboration also produced two other new tools in the fight against cyber crime: the CWSS (http://cwe.mitre.org/cwss/) and the common weakness risk analysis framework ((http://cwe.mitre.org/cwraf/).

For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services