DHS Unveils Security Scoring System for Software Flaws, Attack Vectors

The Common Weakness Scoring System will give organizations a way to determine the security and safety of software to create better applications.

The United States Department of Homeland Security unveiled a detailed guide to help software developers and vendors avoid common security errors in their applications.

Homeland Security's Cyber-Security Division worked with the security training and research organization SANS Institute and the non-profit technology research company Mitre to create a list of common software vulnerabilities along with a scoring system to prioritize flaws, a risk analysis framework to evaluate the seriousness of the flaws and a list of top 25 dangerous software errors. The guide was released June 27 and is intended to help organizations hold their developers and vendors accountable for problems in the application.

The CWE (Common Weakness Enumeration) list contains high-level overviews and examples of widespread software vulnerabilities as well as consequences, likely attack vectors and potential ways to mitigate attacks. Unlike other lists of common vulnerabilities, CWE 2.0 provides detailed explanations of the exact programming errors to avoid.

"This will allow agencies and organizations to take a tactical approach to addressing vulnerabilities," Will Pelgrin, director of the Multi-State Information Sharing and Analysis Center, a collaborative cybersecurity effort that includes state and local governments, said on a conference call.

The CWSS (Common Weakness Scoring System) version 0.8 will assign a standard score to the software, giving organizations a clear understanding of its security. From a vendor standpoint, the company will be motivated to address the common issues to bring up the score, or customers won't be willing to buy the software.

From a customer standpoint, they can look at the scores and prioritize which software vulnerabilities need to be addressed. The scoring system considers potential technical and business impacts of the weakness when it is exploited, the operational layer the attacker may access, the effectiveness of available defenses, the privilege level needed to access the vulnerability, and the likelihood an exploit.

Basic vulnerabilities such as SQL injection and cross-site scripting still account for a majority of security flaws in Web applications, Rafal Los, a security evangelist at HP, recently told eWEEK. Organizations are finally realizing how important it is to regularly check their code for programming errors, and investing in technology to help them find those flaws, Los said.

The CWRAF (Common Weakness Risk Analysis Framework) will provide a way for organizations to evaluate risk as they pertain to the industry. The framework will include "vignettes" for specific industries highlighting which programming errors have the potential to affect them the most. For example, a security flaw in an application may be a bigger threat to the banking industry because of specific technology being used than in manufacturing, which might not use it.

"I see this as a management tool to focus the team on things that are the greatest threat and that have the greatest consequences," Pelgrin said.

The DHS effort focused on applications and software in this voluntary guide, which is timely considering the string of high-profile Web attacks in recent months. Many of the attacks used basic vulnerabilities, such as SQL injection, to compromise the site. These attacks have highlighted how costly software flaws can be, with attackers relying on common bugs to steal credit card information and login credentials from various government and banking sites.

The SANS Institute also released its annual list of the top 25 Web vulnerabilities. The most significant flaws were the ones that could be exploited by SQL injection attacks, according to the list. In a SQL injection, attackers insert database commands into a form on the Web page and trick it to executing them. Other top vulnerabilities include operating system command injection, classic buffer overflow, and cross-site scripting.

SANS Institute and Mitre collaborated with software security experts in the United States and Europe to create the list.