Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

The Department of Homeland Security has announced an initiative to shore up security by squashing software bugs. This follows a slew of high-profile attacks on government and corporate computer systems that have led to sensitive information being stolen.

The nonprofit, federally funded MITRE Corporation is unveiling several efforts aimed at helping businesses better defend their software. These include a list of the 25 most dangerous software errors, and guidance for businesses hoping to eliminate them; MITRE also offers tools to help businesses assess which vulnerabilities threaten them the most. These efforts were largely sponsored by the Software Assurance program in the National Cyber Security Division of the U.S. Department of Homeland Security, and are part of an ongoing effort to improve security in cyberspace.

MITRE’s tools, the development of which DHS has funded since 2005, take a different approach to security. A common approach to securing software is to buy products—firewalls, antivirus, and so on—often without a good sense of how they interact and what protection they really offer. But MITRE’s work suggests focusing elsewhere.

“What you really want to know is: What evidence do I have that I’m able to rely on my software?” says Robert Martin, principal engineer at MITRE. Instead of offering security features or products, Martin says, programmers need to focus on identifying and combating weaknesses in their code.

MITRE’s list was compiled after surveying security professionals in industry, government, and academia. These experts voted on the most prevalent, most dangerous, and easiest ways to exploit vulnerabilities. The end result, Martin says, is a list of the vulnerabilities that are the most attractive to attackers.

Recent real-world attacks seem to bear out the list’s rankings. For example, MITRE calls SQL injection, a technique that attacks the database of a Web application, “the knockout punch of security weaknesses.” Indeed, it has been a favorite tool of two hacking groups that have been in the news: Lulzsec and Anonymous.

1 comment. Share your thoughts »

Tagged: Computing, Web, security, software, bugs, MITRE

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me