Lulzsec has used SQL injection to target the PBS.org website and computers belonging to Sony BMG, among many others over the past 50 days. Anonymous, which is known for its politically motivated attacks, has used the same technique to attack HBGary Federal, retaliating for the company CEO’s claims that he had unmasked key members of its group.
MITRE hopes that its list and tools will help businesses secure their software. “The big problem we’ve continuously run into is a lot of business leaders don’t understand the role software plays in their enterprise,” says Martin. For example, Sony, which has been subjected to repeated hacks in recent months, has been accused of lax security.
Because of this, MITRE also released a new version of its Common Weakness Risk Analysis Framework, software that helps businesses automatically select and prioritize the weaknesses most likely to bite them. It does this in part by putting weaknesses in context, sketching out industry-specific scenarios that help leaders understand exactly what role an application plays in the enterprise, and how a breach could affect them.
The system can help a business discover “what kind of failure is the worst for your application given what it’s doing for your business,” says Martin. “That doesn’t change what attackers are going for, but it does change where you prioritize.”
Many of the problems identified by MITRE have been around for a long time, but that doesn’t make them any less dangerous, says Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, a company that helps website owners secure their sites. Grossman was one of the security experts surveyed by MITRE.
To make websites more secure, Grossman says, it is important to deal with all the vulnerabilities that are already out there.
“Rewriting the Web is probably impractical,” he jokes, adding, that what a website is vulnerable to has a lot to do with when it was coded.
“Tons of tools and guidance are already out there,” Grossman says. “It’s adoption that we need.” He adds that companies need to look at improving their software, and believes that the Department of Homeland Security can use its muscle and purchasing power to pressure companies to secure code against the most dangerous errors.