U.S. to Provide Guidelines to Bolster Computer Security
The Homeland Security Department plans to unveil on Monday a new system of guidance intended to help make the software behind many services — be they Web sites or power grids — less susceptible to hacking.
The system includes an updated list of the top 25 programming errors that enable today’s most serious hacks. To help make the list more useful, it adds new tools to help software programmers eliminate the most dangerous types of mistakes and enable organizations to demand and buy more secure products.
The effort to improve software security has been three years in the making, according to Robert A. Martin, principal engineer at Mitre, a technology nonprofit that conducts federal research in systems engineering.
The Homeland Security Department’s hope is that the program, which is voluntary, will make it easier for companies and agencies to better secure their corners of cyberspace and contribute to building safer global networks.
“We’re going after root cause issues,” said a senior department official, who declined to be named because the announcement of the new plans had not yet been made. “You can make your enterprise more resilient from the people who would attack you.”
The top 25 list was created by the nonprofit SANS Institute and Mitre with the help of top software security experts in the United States and Europe, and it includes programming errors that have been used in a number of recent headline-grabbing hacking attacks.
For instance, No. 1 on the list is a programming mistake that allows so-called SQL-injection attacks on Web sites, which were successfully used by the hacker group LulzSec. That group was able to use the flaws to cause databases to spit out user names and passwords from Web sites, including one associated with the F.B.I.’s InfraGard program and NATO’s online bookstore.
The list also warns about the type of error that allowed hackers to steal several hundred thousand credit card numbers from a Citigroup site recently.
The guidance framework will include “vignettes” for industries like e-commerce, banking and manufacturing, and will highlight for them which programming errors are of greatest concern in the types of technologies they use.
Companies that make tools to test software for dangerous programming mistakes are already beginning to incorporate the frameworks into their products, said Alan Paller, head of research at SANS. And eventually there will be services that help businesses evaluate whether the software they’re considering buying has stood up to scrutiny.
Avoiding common programming mistakes is vital to fending off today’s worst attacks, he said. “This is the only way to get around ‘zero days,’ ” he said, referring to attacks that make use of software vulnerabilities that are unknown and, therefore, cannot be fixed quickly with patches. “The only possible defense is to stop the error from being in the software in the first place.”