Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Fighting application exploitation

Jeff Bernstein | Feb. 25, 2009
Government and private enterprise partner to target top coding flaws

Many public-private partnership initiatives are contributing to the evolution of global information security risk mitigation. US-based InfraGuard and the Malaysia-based International Multilateral Partnership Against Cyber Threats (IMPACT) are two well-known examples.

In mid-January 2009, Americas public-private partnership made a bold move by documenting and announcing the 25 most dominant coding flaws. The collaborative effort of government, academia and the commercial sector included participation from the National Security Agency and Department of Homeland Security in the US, along with a consortium of 30 other global information security organisations, including Symantec and Microsoft.

This move follows increasing levels of malicious cyber attacks targeted at the application layer and the valuable data that resides within it. Of equal concern is the increased pressure to protect the systems associated with command and control of electronic critical infrastructure. A review of reported security breaches at the Privacy Rights website provides solid validation that year over year, malicious activity on the Internet continues to increase at an alarming rate. With this in mind, the coding flaw announcement is an industry-wide welcome breath of fresh air.

Issue categories

The newly announced list includes well-known flaws that can lead to, among others, successful Denial of Service (DoS) and Cross Site Scripting (XSS) exploits. The list is subdivided into the following three categories of issues:

1.    Insecure Interaction Between Components - 9 errors

2.    Risky Resource Management - 9 errors   

3.    Porous Defenses - 7 errors

The consortiums effort should be loudly applauded as widespread adoption and implementation appears imminent and will ultimately lead to lower rates of successful electronic compromise. It is widely expected that local, state, federal and international constituencies will establish contract clauses requiring all software vendors to be secured against the top 25 weakness list as an initial barrier to doing business. For example, New York State in the US has already drafted new procurement language mandating compliance from its vendors.

The idea of tracking most prevalent vulnerabilities has been around for years. Historically, security checklists have been a significant contributing factor to the heightening of security posture of network and application computing environments worldwide. In 2004, and perhaps the single defining precursor to the new top 25, the Open Source Web Application Security Project (OWASP) launched the OWASP Top 10 which was a similar effort to bring about awareness of key application coding flaws to a wide global audience. Driving attention through its worldwide reach of 130 member chapters, OWASP continues to make significant progress towards educating the private, commercial, education and government sectors. Early adopters of the OWASP criteria include the US Department of Defense, the US Federal Trade Commission (FTC), The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), British Telecom (BT) and the Payment Card Industry, as mandated by the PCI Standard, to name only a few.


1  2  3  Next Page 

Sign up for Computerworld eNewsletters.