Skip to Content

Bug-Squashing Tools Offered to Improve Network Security

After a spate of hacking attacks, the Department of Homeland Security is promoting ways to make software more trustworthy.
June 27, 2011

The Department of Homeland Security has announced an initiative to shore up security by squashing software bugs. This follows a slew of high-profile attacks on government and corporate computer systems that have led to sensitive information being stolen.

The nonprofit, federally funded MITRE Corporation is unveiling several efforts aimed at helping businesses better defend their software. These include a list of the 25 most dangerous software errors, and guidance for businesses hoping to eliminate them; MITRE also offers tools to help businesses assess which vulnerabilities threaten them the most. These efforts were largely sponsored by the Software Assurance program in the National Cyber Security Division of the U.S. Department of Homeland Security, and are part of an ongoing effort to improve security in cyberspace.

MITRE’s tools, the development of which DHS has funded since 2005, take a different approach to security. A common approach to securing software is to buy products—firewalls, antivirus, and so on—often without a good sense of how they interact and what protection they really offer. But MITRE’s work suggests focusing elsewhere.

“What you really want to know is: What evidence do I have that I’m able to rely on my software?” says Robert Martin, principal engineer at MITRE. Instead of offering security features or products, Martin says, programmers need to focus on identifying and combating weaknesses in their code.

MITRE’s list was compiled after surveying security professionals in industry, government, and academia. These experts voted on the most prevalent, most dangerous, and easiest ways to exploit vulnerabilities. The end result, Martin says, is a list of the vulnerabilities that are the most attractive to attackers.

Recent real-world attacks seem to bear out the list’s rankings. For example, MITRE calls SQL injection, a technique that attacks the database of a Web application, “the knockout punch of security weaknesses.” Indeed, it has been a favorite tool of two hacking groups that have been in the news: Lulzsec and Anonymous.

Lulzsec has used SQL injection to target the PBS.org website and computers belonging to Sony BMG, among many others over the past 50 days. Anonymous, which is known for its politically motivated attacks, has used the same technique to attack HBGary Federal, retaliating for the company CEO’s claims that he had unmasked key members of its group.

MITRE hopes that its list and tools will help businesses secure their software. “The big problem we’ve continuously run into is a lot of business leaders don’t understand the role software plays in their enterprise,” says Martin. For example, Sony, which has been subjected to repeated hacks in recent months, has been accused of lax security.

Because of this, MITRE also released a new version of its Common Weakness Risk Analysis Framework, software that helps businesses automatically select and prioritize the weaknesses most likely to bite them. It does this in part by putting weaknesses in context, sketching out industry-specific scenarios that help leaders understand exactly what role an application plays in the enterprise, and how a breach could affect them.

The system can help a business discover “what kind of failure is the worst for your application given what it’s doing for your business,” says Martin. “That doesn’t change what attackers are going for, but it does change where you prioritize.”

Many of the problems identified by MITRE have been around for a long time, but that doesn’t make them any less dangerous, says Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, a company that helps website owners secure their sites. Grossman was one of the security experts surveyed by MITRE.

To make websites more secure, Grossman says, it is important to deal with all the vulnerabilities that are already out there.

“Rewriting the Web is probably impractical,” he jokes, adding,  that what a website is vulnerable to has a lot to do with when it was coded.

“Tons of tools and guidance are already out there,” Grossman says. “It’s adoption that we need.” He adds that companies need to look at improving their software, and believes that the Department of Homeland Security can use its muscle and purchasing power to pressure companies to secure code against the most dangerous errors.

Keep Reading

Most Popular

Death and Jeff Bezos
Death and Jeff Bezos

Meet Altos Labs, Silicon Valley’s latest wild bet on living forever

Funders of a deep-pocketed new "rejuvenation" startup are said to include Jeff Bezos and Yuri Milner.

Professor Gang Chen of MIT
Professor Gang Chen of MIT

All charges against China Initiative defendant Gang Chen have been dismissed

MIT professor Gang Chen was one of the most prominent scientists charged under the China Initiative, a Justice Department effort meant to counter economic espionage and national security threats.

mouse engineered to grow human hair
mouse engineered to grow human hair

Going bald? Lab-grown hair cells could be on the way

These biotech companies are reprogramming cells to treat baldness, but it’s still early days.

conceptual illustration showing various women's faces being scanned
conceptual illustration showing various women's faces being scanned

A horrifying new AI app swaps women into porn videos with a click

Deepfake researchers have long feared the day this would arrive.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.