The Green Sheet Online Edition
July 11, 2011 • Issue 11:07:01
The 25 most dangerous software errors in 2011
Department of Homeland Security
officials joined the Systems Administration, Networking and Security Institute
and the MITRE Corp's. Common Weakness Enumeration
to release the 2011 list of most widespread, critical errors found in software, which itemizes the 25 most common programming errors that are used to breach critical stored data.
SANS Institute Director of Research Alan Paller called the report "the major first step to protecting" personal information stored by small and medium-sized organizations. The list developers claim software vulnerabilities are easily located, easily exploited and dangerous because they often allow attackers to take over a system, steal data or disrupt software completely.
The goal of the list is to help software manufacturers identify and prevent common vulnerabilities, educate consumers and help researchers focus on aspects of security weaknesses. Software executives can use the list to assess their progress in securing their products.
The report is a collaboration among the SANS Institute, MITRE and security experts in the United States and Europe. MITRE built and maintains the CWE website with funding from the U.S. Department of Homeland Security's National Cyber Security Division. The top 25 list is prioritized using the findings from more than 20 organizations that evaluated the weaknesses according to prevalence, importance and likelihood of the weakness to be exploited. This evaluation is called the common weakness scoring system (CWSS).
SQL attacks top the list
Number one on the top 25 list is attacks on the search and query language (SQL) of software systems. "If you use SQL queries in security controls such as authentication, attackers could alter the logic of those queries to bypass security," the authors noted.
"They could modify the queries to steal, corrupt or otherwise change your underlying data. They'll even steal data one byte at a time if they have to, and they have the patience and know-how to do so. In 2011, SQL injection was responsible for the compromises of many high-profile organizations, including Sony Pictures, PBS, MySQL.com, security company HBGary and many others."
To prevent or mitigate these attacks the authors recommend using a vetted library or framework that blocks this weakness or makes the weakness easier to avoid.
They also recommend structured mechanisms that automatically separate data and code and running code using the lowest privileges required to accomplish the needed tasks.
The entire list of vulnerabilities and fixes can be seen at http://cwe.mitre.org/top25. The collaboration also produced two other new tools in the fight against cyber crime: the CWSS (http://cwe.mitre.org/cwss/) and the common weakness risk analysis framework ((http://cwe.mitre.org/cwraf/).
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.