The Department of Homeland Security has announced an initiative to shore up security by squashing software bugs. This follows a slew of high-profile attacks on government and corporate computer systems that have led to sensitive information being stolen.
The nonprofit, federally funded MITRE Corporation is unveiling several efforts aimed at helping businesses better defend their software. These include a list of the 25 most dangerous software errors, and guidance for businesses hoping to eliminate them; MITRE also offers tools to help businesses assess which vulnerabilities threaten them the most. These efforts were largely sponsored by the Software Assurance program in the National Cyber Security Division of the U.S. Department of Homeland Security, and are part of an ongoing effort to improve security in cyberspace.
MITRE’s tools, the development of which DHS has funded since 2005, take a different approach to security. A common approach to securing software is to buy products—firewalls, antivirus, and so on—often without a good sense of how they interact and what protection they really offer. But MITRE’s work suggests focusing elsewhere.
“What you really want to know is: What evidence do I have that I’m able to rely on my software?” says Robert Martin, principal engineer at MITRE. Instead of offering security features or products, Martin says, programmers need to focus on identifying and combating weaknesses in their code.
MITRE’s list was compiled after surveying security professionals in industry, government, and academia. These experts voted on the most prevalent, most dangerous, and easiest ways to exploit vulnerabilities. The end result, Martin says, is a list of the vulnerabilities that are the most attractive to attackers.
Recent real-world attacks seem to bear out the list’s rankings. For example, MITRE calls SQL injection, a technique that attacks the database of a Web application, “the knockout punch of security weaknesses.” Indeed, it has been a favorite tool of two hacking groups that have been in the news: Lulzsec and Anonymous.