US offers anti-hacking guidelines
The Homeland Security Department unveiled a new system of guidance yesterday intended to help make the software behind websites, power grids, and other services less susceptible to hacking.
The system includes an updated list of the top 25 programming errors that enable today’s most serious hacks. It adds new tools to help software programmers eliminate the most dangerous types of mistakes and enable organizations to demand and buy more secure products.
The effort to improve software security has been three years in the making, according to Robert A. Martin, principal engineer at Mitre, a technology nonprofit organization that conducts federal research.
The cost of flaws or omissions that make software susceptible to attack was highlighted by a number of recent attacks that resulted in the theft of credit card information, user names, and passwords from government and banking sites.
During an online news conference, government officials pointed out that a wide range of stakeholders had an interest in seeing the top 25 errors addressed, and they stressed the need for better training and education for people writing software.
The Homeland Security Department’s hope is that the program, which is voluntary, will make it easier for companies and agencies to better secure their corners of cyberspace and contribute to building safer global networks.
The guidance could spur a long-awaited shift in the technology industry’s approach to computer security, which puts software security at the heart, in the place of network security, said Jeremiah Grossman, chief technology officer of WhiteHat Security, a firm that helps companies secure their websites.
Many organizations do not recognize that software security should be the focus, he said, “which is why you see the bulk of the security dollars spent on defense flowing to firewall and antivirus products, and precisely why the current wave of breaches keep happening.’’
The top 25 list includes programming errors that have been used in a number of recent hacking attacks.
Number one on the list is a programming mistake that allows so-called SQL-injection attacks on websites, which were successfully used by the hacker group LulzSec. That group was able to use the flaws to cause databases to spit out user names and passwords from websites, including one associated with the FBI’s InfraGard program and NATO’s online bookstore.
The list also warns about the type of error that allowed hackers to steal several hundred thousand credit card numbers from a Citigroup site recently.
The guidance framework will include “vignettes’’ for industries like e-commerce, banking, and manufacturing, and will highlight for them which programming errors are of greatest concern in the types of technologies they use.