Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Development
    • Networking

    DHS Unveils Security Scoring System for Software Flaws, Attack Vectors

    By
    Fahmida Y. Rashid
    -
    June 28, 2011
    Share
    Facebook
    Twitter
    Linkedin

      The United States Department of Homeland Security unveiled a detailed guide to help software developers and vendors avoid common security errors in their applications.

      Homeland Security’s Cyber-Security Division worked with the security training and research organization SANS Institute and the non-profit technology research company Mitre to create a list of common software vulnerabilities along with a scoring system to prioritize flaws, a risk analysis framework to evaluate the seriousness of the flaws and a list of top 25 dangerous software errors. The guide was released June 27 and is intended to help organizations hold their developers and vendors accountable for problems in the application.

      The CWE (Common Weakness Enumeration) list contains high-level overviews and examples of widespread software vulnerabilities as well as consequences, likely attack vectors and potential ways to mitigate attacks. Unlike other lists of common vulnerabilities, CWE 2.0 provides detailed explanations of the exact programming errors to avoid.

      “This will allow agencies and organizations to take a tactical approach to addressing vulnerabilities,” Will Pelgrin, director of the Multi-State Information Sharing and Analysis Center, a collaborative cybersecurity effort that includes state and local governments, said on a conference call.

      The CWSS (Common Weakness Scoring System) version 0.8 will assign a standard score to the software, giving organizations a clear understanding of its security. From a vendor standpoint, the company will be motivated to address the common issues to bring up the score, or customers won’t be willing to buy the software.

      From a customer standpoint, they can look at the scores and prioritize which software vulnerabilities need to be addressed. The scoring system considers potential technical and business impacts of the weakness when it is exploited, the operational layer the attacker may access, the effectiveness of available defenses, the privilege level needed to access the vulnerability, and the likelihood an exploit.

      Basic vulnerabilities such as SQL injection and cross-site scripting still account for a majority of security flaws in Web applications, Rafal Los, a security evangelist at HP, recently told eWEEK. Organizations are finally realizing how important it is to regularly check their code for programming errors, and investing in technology to help them find those flaws, Los said.

      The CWRAF (Common Weakness Risk Analysis Framework) will provide a way for organizations to evaluate risk as they pertain to the industry. The framework will include “vignettes” for specific industries highlighting which programming errors have the potential to affect them the most. For example, a security flaw in an application may be a bigger threat to the banking industry because of specific technology being used than in manufacturing, which might not use it.

      “I see this as a management tool to focus the team on things that are the greatest threat and that have the greatest consequences,” Pelgrin said.

      The DHS effort focused on applications and software in this voluntary guide, which is timely considering the string of high-profile Web attacks in recent months. Many of the attacks used basic vulnerabilities, such as SQL injection, to compromise the site. These attacks have highlighted how costly software flaws can be, with attackers relying on common bugs to steal credit card information and login credentials from various government and banking sites.

      The SANS Institute also released its annual list of the top 25 Web vulnerabilities. The most significant flaws were the ones that could be exploited by SQL injection attacks, according to the list. In a SQL injection, attackers insert database commands into a form on the Web page and trick it to executing them. Other top vulnerabilities include operating system command injection, classic buffer overflow, and cross-site scripting.

      SANS Institute and Mitre collaborated with software security experts in the United States and Europe to create the list.

      Fahmida Y. Rashid

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×