The long string of attacks against popular Web sites, high-profile companies such as Sony, and government networks has brought the problem of common and easily exploitable vulnerabilities into the public eye, and the Department of Homeland Security today is unveiling a new effort to help address the issue. The plan, which is in conjunction with MITRE, involves identifying the introduction of a new scoring system to help evaluate software projects against a list of common programming errors.
The new scoring system is known as the Common Weakness Scoring System and comprises a number of different kinds of scoring methods: targeted, generalized, context adjusted and aggregated.
The list of errors is meant to be separate from the plethora of other such lists of the most common vulnerabilities or weaknesses. These are strictly programming errors that DHS and MITRE are hoping to help developers avoid in future projects. In addition to the list of 25 programming errors, the initiative also includes guidance on how organizations can score their own software projects against the list.
The DHS effort is interesting in that it is focused on software and applications and not on networks and endpoints, where much of the department’s previous efforts in computer security have been focused.
The list and guidance come at a time when attacks by groups such as LulzSec, Anonymous and others on Sony, Infragard, Citigroup and other high-profile targets have made the issue of Web security and easily exploitable vulnerabilities a topic on the nightly news and in the mainstream press. The level of concern about the state of the applications that run the critical systems in both the government and the private sector is clear among both government officials and public sector experts.
But there don’t seem to be any clear answers about how to address the problem. Secure coding initiatives, developer training and even public shaming all have failed in the past. But DHS officials hope that this time will be different.
“Almost all of the attacks were enabled by errors left by programmers. There’s no incentive system right now that touches programmers, because by the time it’s discovered it’s so far removed from the development process it just doesn’t come back to touch them,” said Alan Paller, director of research at The SANS Institute. “You have to tell them what to look for and give them a way to look for it that doesn’t consume them.”
On Monday, DHS and MITRE announced the release of version 0.8 of the CWSS, which will continue to evolve in the next few years as it’s put into practice in various organizations and refined and retooled. At the same time, MITRE also released CWE 2.0 and the Common Weakness Risk Analysis Framework.
“CWSS is a new scoring system that is in its infancy but I have high hopes for At Veracode we had to create our own proprietary scoring system 5 years ago when we launched the company because there was no community accepted standard. I would have loved to have picked a standard off the shelf that would be accepted right away by our customers. CWSS is different than CVSS because it can score the risk of vulnerabilities during the SDLC when it is important to decide whether to eliminate defects or not before shipping the software. I think both of these efforts will help make writing secure software the default instead of the special case it is today,” said Chris Wysopal, CTO of Veracode.
The new version of the CWE/SANS Top 25 Most Dangerous Software Errors released Monday is led by SQL injection, one of the more popular attack methods for hackers looking to compromise a Web site and get access to the site’s back end database. The attack has been used in a number of recent incidents, including several attributed to LulzSec in recent weeks. SQL injection has been a serious problem for years, but it continues to crop up. The list itself has been around since 2009.
Cross-site scripting, which also has been a tremendous issue for years, is number four on the new list. Also included are common problems such as buffer overflows and cross-site request forgery.