The Homeland Security Department unveiled a new system of guidance Monday intended to help make the software behind websites, power grids and other services less susceptible to hacking.
The system includes an updated list of the top 25 programming errors that enable today’s most serious hacks. It adds new tools to help software programmers eliminate the most dangerous types of mistakes and enable organizations to buy more secure products.
The effort to improve software security has been three years in the making, according to Robert Martin, principal engineer at Mitre, a technology nonprofit organization that conducts federal research in systems engineering.
The costs of flaws or omissions that make software susceptible to attack was highlighted by a number of recent attacks that resulted in the theft of credit card information, user names and passwords from government and banking sites.
The guidance could spur a long-awaited shift in the technology industry’s approach to computer security, which puts software security at the heart, in the place of network security, said Jeremiah Grossman, chief technology officer of WhiteHat Security, a firm that helps companies secure their websites.
The top 25 list was created by SANS Institute, a nonprofit research and education organization, and Mitre with the help of top software security experts in the U.S. and Europe. It includes programming errors that have been used in a number of recent hacking attacks.
No. 1 on the list is a programming mistake that allows so-called SQL-injection attacks on websites, which were successfully used by the hacker group LulzSec. That group was able to use the flaws to cause databases to spit out user names and passwords from websites, including one associated with the FBI’s InfraGard program and NATO’s online bookstore.
The list also warns about the type of error that allowed hackers to steal several hundred thousand credit card numbers from a Citigroup site recently.
Companies that make tools to test software for dangerous programming mistakes are already beginning to incorporate the framework into their products, said Alan Paller, director of research at the SANS Institute, before the presentation. And eventually there will be services that help businesses evaluate whether the software they are considering has stood up to scrutiny.
Source:http://www.bendbulletin.com/article/20110628/NEWS0107/106280340/
