Feds, SANS Disclose Top 20 Vulnerabilities

The general services administration last week unveiled a flurry of Internet-security-related announcements, including an updated list of the top 20 vulnerabilities as compiled by the FBI and The SANS Institute.

The general services administration last week unveiled a flurry of Internet-security-related announcements, including an updated list of the top 20 vulnerabilities as compiled by the FBI and The SANS Institute.

The list includes 10 programs in Unix systems, including Apache Web Server, Secure Shell and FTP; and 10 programs in Windows systems, including Microsoft Corp.s SQL Server, Internet Explorer and Remote Registry Access. Absent are several vulnerabilities that made the list last year but are no longer prevalent. (The complete list can be found via www.eweek.com/links.)

"This year, theres nothing that you should not be able to test," Alan Paller, director of research at SANS, said upon revealing the top 20 vulnerabilities at the GSA, in Washington.

In conjunction with the advisories, several IT security vendors announced product upgrades that will target the identified weaknesses.

Internet Security Systems Inc., for one, launched a policy component for its Internet Scanner to allow users to tailor security profiles based on the top 20 vulnerabilities. ISS Internet Scanner application monitors systems for weaknesses that affect communication services, operating systems, routers, e-mail and Web servers, firewalls, and applications.

Qualys Inc. and Foundstone Inc. also released scanning services and products last week. In addition, The Nessus Project and Advanced Research Corp. announced open-source products to cover the newly identified weaknesses.

To help federal agencies identify and eliminate the top 20 weaknesses, the GSA is setting up a task force to draft specifications for contracting with security vendors via the federal SafeGuard program. The GSA is also providing a patch service to federal users, notifying them by e-mail when a new vulnerability is identified on a system.