A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

July 11, 2011 • Issue 11:07:01

The 25 most dangerous software errors in 2011

Department of Homeland Security officials joined the Systems Administration, Networking and Security Institute and the MITRE Corp's. Common Weakness Enumeration to release the 2011 list of most widespread, critical errors found in software, which itemizes the 25 most common programming errors that are used to breach critical stored data.

SANS Institute Director of Research Alan Paller called the report "the major first step to protecting" personal information stored by small and medium-sized organizations. The list developers claim software vulnerabilities are easily located, easily exploited and dangerous because they often allow attackers to take over a system, steal data or disrupt software completely.

The goal of the list is to help software manufacturers identify and prevent common vulnerabilities, educate consumers and help researchers focus on aspects of security weaknesses. Software executives can use the list to assess their progress in securing their products.

The report is a collaboration among the SANS Institute, MITRE and security experts in the United States and Europe. MITRE built and maintains the CWE website with funding from the U.S. Department of Homeland Security's National Cyber Security Division. The top 25 list is prioritized using the findings from more than 20 organizations that evaluated the weaknesses according to prevalence, importance and likelihood of the weakness to be exploited. This evaluation is called the common weakness scoring system (CWSS).

SQL attacks top the list

Number one on the top 25 list is attacks on the search and query language (SQL) of software systems. "If you use SQL queries in security controls such as authentication, attackers could alter the logic of those queries to bypass security," the authors noted.

"They could modify the queries to steal, corrupt or otherwise change your underlying data. They'll even steal data one byte at a time if they have to, and they have the patience and know-how to do so. In 2011, SQL injection was responsible for the compromises of many high-profile organizations, including Sony Pictures, PBS, MySQL.com, security company HBGary and many others."

To prevent or mitigate these attacks the authors recommend using a vetted library or framework that blocks this weakness or makes the weakness easier to avoid.

They also recommend structured mechanisms that automatically separate data and code and running code using the lowest privileges required to accomplish the needed tasks.

The entire list of vulnerabilities and fixes can be seen at http://cwe.mitre.org/top25. The collaboration also produced two other new tools in the fight against cyber crime: the CWSS (http://cwe.mitre.org/cwss/) and the common weakness risk analysis framework ((http://cwe.mitre.org/cwraf/). end of article

For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
Facebook
Twitter
LinkedIn

Current Issue

View Archives
View Flipbook

Table of Contents

Lead Story
Features
Selling Prepaid
Views
Education
Company Profile
New Products
Departments
A Thing