The government is here to help you. No, really. The Department of Homeland Security released this week a detailed list of the top 25 errors that made programs vulnerable to hacking attacks. Hopefully, the list will be used more by programmers becoming aware of such errors and stopping making them than by hackers finding new ways to break into systems.
The list, as well as information about how to fix such errors, took three years to produce and was generated by the nonprofit, federally funded MITRE Corp. and sponsored by the Software Assurance program in the National Cyber Security Division of the U.S. Department of Homeland Security. MITRE created the list after surveying security professionals in industry, government, and academia.
"Recent real-world attacks seem to bear out the list's rankings," noted an article in Technology Review on MITRE's work. "For example, MITRE calls SQL injection, a technique that attacks the database of a Web application, "the knockout punch of security weaknesses." Indeed, it has been a favorite tool of two hacking groups that have been in the news: Lulzsec and Anonymous."
What's particularly interesting about the list is not any particular item on it -- which, frankly, shouldn't be a surprise to anybody; some of them have even entered the popular lexicon -- but the fact that it exists at all. First of all, many computer security efforts have focused on the user end, getting people to implement antivirus software and so on. While lists like these circulate in programming circles, this one is being much more widely publicized. Moreover, fixing problems like these at the source will put users in less of a defensive position, Jeremiah Grossman, chief technology officer of WhiteHat Security, a firm that helps companies secure their Web sites, told the New York Times.
Second, it's a switch in direction for government entities in general, which tend to prefer "security through obscurity," or hiding the details of how things work -- and particularly the ways in which they can be broken -- for fear that a hacker might find them and exploit them. Apparently some people have finally figured out that, hello, hackers already know this stuff, and it's time to make sure everyone else knows it, too.
In addition to the list itself, MITRE has released a new version of its Common Weakness Risk Analysis Framework that helps companies determine which of the risks are most significant to them.
That said, it's hard to say how much help the list will actually be -- it's not like anything on the list is particularly new or surprising, and whatever's kept programmers from fixing these kinds of errors in the past, whether it's insufficient testing or insufficient development time or whatever, isn't likely to change. And the weak link continues to be human beings and social engineering. “There’s no device known to mankind that will prevent people from being idiots,” Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp. (CSC), told Bloomberg.