A joint effort among the Department of Homeland Security (DHS), SANS Institute, MITRE, and many top software security experts in the US and Europe has produced a detailed list of software vulnerabilities aimed at helping businesses set up a secure website and judge potential programming errors. While the federal program has been in development for years, the costs of programming oversight has been front page news with recent cyber attacks resulting in the theft of credit card and other personal information. Included in the publicly available research is the Top 25 List of programming errors that have been exploited in many of the recent attacks. For example, the top error is not preventing SQL-injection attacks on websites, an oversight exploited by hacking group LulzSec to retrieve user names and passwords from sites such as FBI’s InfraGard program and NATO’s online bookstore.
There is hope among IT security contractors that this latest guidance by the DHS team will prompt organizations to address the real and growing threat software security poses to their operations.
*Special thanks to Summer Associate Dan Tracey for his contributions to this edition of the Privacy Bulletin.