Software Security Scoring System

Wednesday, June 29, 2011 @ 11:06 PM gHale

A new scoring system designed to help enterprises verify whether the software they are using meets reasonable standards for secure coding is now ready for use.

Created by the Department of Homeland Security (DHS), along with the SANS Institute and Mitre, the organizations released the list of the “Top 25 most dangerous programming errors” found in software, and a measuring system that lets enterprises score the security of their software based on the presence or absence of those flaws.

The goal is to give enterprises information so they can make more informed decisions regarding the security of their software, said Alan Paller, director of research at SANS.

The hope is that organizations within the private sector and government will use the Top 25 list and scoring system during the software procurement process, he said.

“Companies and not-for-profits that build or buy Web services and software do not have a reliable way to know whether the software they are using is protected against common attacks,” Paller said.

The key missing ingredients have been a credible, validated list of the most dangerous errors programmers make, and a way to test the software to see whether those errors are present, he said.

This is an updated list of the key flaws plus a measuring system that lets organizations score their software for security, Paller said.

The updated Top 25 list of most dangerous programming errors includes most of the same security issues from last year’s list. The one key difference is that SQL Injection errors top the list for 2011, compared with last year, when they were the second most dangerous error.

Operating System Command injection errors, which allow attackers to issue OS commands through a Web application interface, was listed as the second most dangerous software programming error in this year’s list. Rounding out the top five threats were buffer overflow errors, cross site scripting flaws and missing authentication for critical functions.

The list also came with suggestions and guidance on how software developers can mitigate the chances of such flaws showing up in their products.



Leave a Reply

You must be logged in to post a comment.