DHS releases software security scoring system

Goal is to give software developers, enterprises more information on fiding and fixing the most dangerous programming errors

The Department of Homeland Security (DHS), along with the SANS Institute and Mitre, released a scoring system on Monday designed to help enterprises verify whether the software they are using meets reasonable standards for secure coding.

The organizations released an updated list of the Top 25 most dangerous programming errors found in software, and a measuring system that lets enterprises score the security of their software based on the presence or absence of those flaws.

The goal is to give enterprises information that will let them make more informed decisions regarding the security of their software, said Alan Paller, director of research at SANS.

The hope is that organizations within the private sector and government will use the Top 25 list and scoring system during the software procurement process, he said.

"Companies and not-for-profits that build or buy Web services and software do not have a reliable way to know whether the software they are using is protected against common attacks," Paller said.

The key missing ingredients have been a credible, validated list of the most dangerous errors programmers make, and a way to test the software to see whether those errors are present, he said.

"The DHS/Mitre announcement ... is just that -- an updated, authoritative list of the key flaws plus a measuring system that lets organizations score their software for security," Paller said. "The bottom line is that buyers and builders of software and services will be able to ask for assurance that the critical flaws have been eliminated, and be able to verify that."

The updated Top 25 list of most dangerous programming errors that the scoring system is based on includes many of the same security issues from last year's list. The one key difference is that SQL Injection errors top the list for 2011, compared with last year, when they were the second most dangerous error.

Operating System Command injection errors, which allow attackers to issue OS commands through a Web application interface, was listed as the second most dangerous software programming error in this year's list. Rounding out the top five threats were buffer overflow errors, cross site scripting flaws and missing authentication for critical functions.

The list of errors released on Monday was accompanied with suggestions and guidance on how software developers can mitigate the chances of such flaws showing up in their products.

"[These] kinds of list are good ways to focus attention on the biggest vulnerability areas," said John Pescatore, an analyst with Gartner. "Things like the Common Vulnerability Scoring Standard have been around for a while providing a common framework for describing vulnerabilities and tailoring severity levels to your own environment."

But what's equally important are ways to measure and drive improvements in the actual implementation of security controls, he said. Efforts such as the Building Security In Maturity Model (BSIMM), for instance lets companies compare themselves and see how and whether they are improving on the security front, Pescatore said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon