The Department of Homeland Security has announced an initiative to shore up security by squashing software bugs. This follows a slew of high-profile attacks on government and corporate computer systems that have led to sensitive information being stolen.
The nonprofit, federally funded MITRE Corporation is unveiling several efforts aimed at helping businesses better defend their software. These include a list of the 25 most dangerous software errors, and guidance for businesses hoping to eliminate them; MITRE also offers tools to help businesses assess which vulnerabilities threaten them the most. These efforts were largely sponsored by the Software Assurance program in the National Cyber Security Division of the U.S. Department of Homeland Security, and are part of an ongoing effort to improve security in cyberspace.
MITRE’s tools, the development of which DHS has funded since 2005, take a different approach to security. A common approach to securing software is to buy products—firewalls, antivirus, and so on—often without a good sense of how they interact and what protection they really offer. But MITRE’s work suggests focusing elsewhere.
“What you really want to know is: What evidence do I have that I’m able to rely on my software?” says Robert Martin, principal engineer at MITRE. Instead of offering security features or products, Martin says, programmers need to focus on identifying and combating weaknesses in their code.
MITRE’s list was compiled after surveying security professionals in industry, government, and academia. These experts voted on the most prevalent, most dangerous, and easiest ways to exploit vulnerabilities. The end result, Martin says, is a list of the vulnerabilities that are the most attractive to attackers.
Recent real-world attacks seem to bear out the list’s rankings. For example, MITRE calls SQL injection, a technique that attacks the database of a Web application, “the knockout punch of security weaknesses.” Indeed, it has been a favorite tool of two hacking groups that have been in the news: Lulzsec and Anonymous.
Lulzsec has used SQL injection to target the PBS.org website and computers belonging to Sony BMG, among many others over the past 50 days. Anonymous, which is known for its politically motivated attacks, has used the same technique to attack HBGary Federal, retaliating for the company CEO’s claims that he had unmasked key members of its group.
MITRE hopes that its list and tools will help businesses secure their software. “The big problem we’ve continuously run into is a lot of business leaders don’t understand the role software plays in their enterprise,” says Martin. For example, Sony, which has been subjected to repeated hacks in recent months, has been accused of lax security.
Because of this, MITRE also released a new version of its Common Weakness Risk Analysis Framework, software that helps businesses automatically select and prioritize the weaknesses most likely to bite them. It does this in part by putting weaknesses in context, sketching out industry-specific scenarios that help leaders understand exactly what role an application plays in the enterprise, and how a breach could affect them.
The system can help a business discover “what kind of failure is the worst for your application given what it’s doing for your business,” says Martin. “That doesn’t change what attackers are going for, but it does change where you prioritize.”
Many of the problems identified by MITRE have been around for a long time, but that doesn’t make them any less dangerous, says Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, a company that helps website owners secure their sites. Grossman was one of the security experts surveyed by MITRE.
To make websites more secure, Grossman says, it is important to deal with all the vulnerabilities that are already out there.
“Rewriting the Web is probably impractical,” he jokes, adding, that what a website is vulnerable to has a lot to do with when it was coded.
“Tons of tools and guidance are already out there,” Grossman says. “It’s adoption that we need.” He adds that companies need to look at improving their software, and believes that the Department of Homeland Security can use its muscle and purchasing power to pressure companies to secure code against the most dangerous errors.