We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

Bug-Squashing Tools Offered to Improve Network Security

After a spate of hacking attacks, the Department of Homeland Security is promoting ways to make software more trustworthy.

The Department of Homeland Security has announced an initiative to shore up security by squashing software bugs. This follows a slew of high-profile attacks on government and corporate computer systems that have led to sensitive information being stolen.

The nonprofit, federally funded MITRE Corporation is unveiling several efforts aimed at helping businesses better defend their software. These include a list of the 25 most dangerous software errors, and guidance for businesses hoping to eliminate them; MITRE also offers tools to help businesses assess which vulnerabilities threaten them the most. These efforts were largely sponsored by the Software Assurance program in the National Cyber Security Division of the U.S. Department of Homeland Security, and are part of an ongoing effort to improve security in cyberspace.

MITRE’s tools, the development of which DHS has funded since 2005, take a different approach to security. A common approach to securing software is to buy products—firewalls, antivirus, and so on—often without a good sense of how they interact and what protection they really offer. But MITRE’s work suggests focusing elsewhere.

“What you really want to know is: What evidence do I have that I’m able to rely on my software?” says Robert Martin, principal engineer at MITRE. Instead of offering security features or products, Martin says, programmers need to focus on identifying and combating weaknesses in their code.

MITRE’s list was compiled after surveying security professionals in industry, government, and academia. These experts voted on the most prevalent, most dangerous, and easiest ways to exploit vulnerabilities. The end result, Martin says, is a list of the vulnerabilities that are the most attractive to attackers.

Recent real-world attacks seem to bear out the list’s rankings. For example, MITRE calls SQL injection, a technique that attacks the database of a Web application, “the knockout punch of security weaknesses.” Indeed, it has been a favorite tool of two hacking groups that have been in the news: Lulzsec and Anonymous.

Lulzsec has used SQL injection to target the PBS.org website and computers belonging to Sony BMG, among many others over the past 50 days. Anonymous, which is known for its politically motivated attacks, has used the same technique to attack HBGary Federal, retaliating for the company CEO’s claims that he had unmasked key members of its group.

MITRE hopes that its list and tools will help businesses secure their software. “The big problem we’ve continuously run into is a lot of business leaders don’t understand the role software plays in their enterprise,” says Martin. For example, Sony, which has been subjected to repeated hacks in recent months, has been accused of lax security.

Because of this, MITRE also released a new version of its Common Weakness Risk Analysis Framework, software that helps businesses automatically select and prioritize the weaknesses most likely to bite them. It does this in part by putting weaknesses in context, sketching out industry-specific scenarios that help leaders understand exactly what role an application plays in the enterprise, and how a breach could affect them.

The system can help a business discover “what kind of failure is the worst for your application given what it’s doing for your business,” says Martin. “That doesn’t change what attackers are going for, but it does change where you prioritize.”

Many of the problems identified by MITRE have been around for a long time, but that doesn’t make them any less dangerous, says Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, a company that helps website owners secure their sites. Grossman was one of the security experts surveyed by MITRE.

To make websites more secure, Grossman says, it is important to deal with all the vulnerabilities that are already out there.

“Rewriting the Web is probably impractical,” he jokes, adding,  that what a website is vulnerable to has a lot to do with when it was coded.

“Tons of tools and guidance are already out there,” Grossman says. “It’s adoption that we need.” He adds that companies need to look at improving their software, and believes that the Department of Homeland Security can use its muscle and purchasing power to pressure companies to secure code against the most dangerous errors.

Be the leader your company needs. Implement ethical AI.
Join us at EmTech Digital 2019.

Register now
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.