Beginning in 2000, the SANS Institute and the National Infrastructure Protection Center (NIPC) began tracking the Top 10 Most Critical Security Vulnerabilities. As the list gained in popularity, it came to be known as the SANS/FBI Top 20 and was segmented into three categories which covered General Vulnerabilities, Windows Vulnerabilities, and Unix Vulnerabilities. CERT (Computer Emergency Response Team at Carnegie Mellon University with federal funding) also publishes a Top 10 Coding Flaw reference list along with the various entries from the National Institute for Standards and Technology (NIST) which publishes more than 100 platform and system specific checklists that may be used in a similar fashion.
Not surprisingly, open-source and third-party network and application scanning technology providers continue to integrate similar components within their wares. For instance, Qualys publishes a Top 10 Security Vulnerability list which is updated monthly. The company and its competitors also offer modules that are designed specifically to address sector-specific vulnerabilities that are common to the banking, retail and utility space, among others. The latest version of Nessus includes a Supervisory Control and Data Acquisition (SCADA) plug-in that can assess industrial control computer systems vulnerability from exploitation via the existence of known vulnerabilities.
The reason that security checklists are so popular is that the majority of successful system compromises can be traced to a limited number of exploits, vulnerabilities and flaws that the various top and check lists document. While small in number compared to the larger population count of actual issues, it is only a few software vulnerabilities which account for the majority of successful attacks. The reason is simply because the majority of attackers take the most convenient route to compromise. They exploit the best-known flaws using the most effective and widely available attack tools, betting that organisations that they target have not fixed the problems. In fact, SANS estimates that issues, identified within the new top 25 coding list announced in January, are responsible for about 85 per cent of all malicious activity on the Internet.
This new coding flaw announcement is a major event for the development, security and end-use communities. Developers have a new functional guideline to better secure coding. The initiative is already heightening the awareness of the need to embed secure coding into the fabric of application development. Security assurance practitioners, auditors and assessors now have an added relevant reference point to assess and secure pre and post production code. End-users will benefit with the knowledge that the applications housing their sensitive data are stripped and hardened against what are considered the most common flaws, at any given time.
While the threat to data protection from application exploitation will remain among the most challenging security issues, the public-private application security partnership appears fired-up, vigilant and should be applauded for its early 2009 announcement.
Sign up for Computerworld eNewsletters.