February 16, 2010 | 2
Concerns about cyber security seem to be as pervasive as the Web itself, whether it’s China’s capacity to wage cyber warfare, the vulnerability of U.S. public utilities and other critical infrastructure to online attacks, or even Google’s recent efforts to close security holes in its new Buzz social networking site. For the past several years, those defending their computers and networks against hackers have been playing catch up to their increasingly well-funded and organized adversaries.
Some computer security experts propose that the best way to ensure computer security is to write software that isn’t easily breached by viruses, worms and other hacker tricks. To that end, the SysAdmin, Audit, Network, Security (SANS Institute) Tuesday released its annual list of the 25 most dangerous programming errors that enable security bugs, cyber espionage and cyber crime. SANS, a cooperative research and education organization in Bethesda, Md., that also provides computer security training, compiled the list with help from government computer contractor The MITRE Corp. as well as more than two dozen academics, security vendors and government agencies.
Although most of the list is unintelligible to those without experience writing software—the top programming mistake, for example, is "failure to preserve Web page structure"—its purpose is to get programmers thinking about how to shore up their software code before allowing it to interface with the Internet. In layman’s terms, failure to preserve Web page structure (sometimes called "cross-site scripting") means that a piece of software written for the Internet (a Web site’s home page, for example) is too trusting when interacting with other software on the Internet. This would enable malicious software (malware) to embed a virus or spyware within that home page. Once this is done, people visiting that page could be unwittingly infected with the virus or have spyware installed onto their computers. If the home page had been written in such a way that it refused to accept data containing executable programs (such as Flash), the malware might not have worked.
Lists such as the one issued Tuesday are not without their critics, who point out primarily that focusing on software flaws is only part of the security problem. "There is much more to building secure software than hunting down 25 bugs," Gary McGraw, chief technology officer of software security consulting firm Cigital, wrote in an e-mail to Scientific American. McGraw is outspoken in opposition to what he calls "generic…bug parade lists." He has blogged in the past about how businesses, many of which lack sufficient computer security specialists, need to prioritize security concerns rather than systematically fixing all software problems.
In other security news, a number of software and cyber security vendors, with help from Georgetown University, on Tuesday hosted a simulated cyber attack on Washington, D.C., called Cyber ShockWave. During the simulation a bipartisan group of former senior administration and national security officials—including former Secretary of Homeland Security Michael Chertoff and former Director of National Intelligence John Negroponte—were to play the roles of the U.S. president’s Cabinet members, whose mission is to advise the president and mount a response to the attack. The participants did not know the scenario in advance and are expected to react to the threat in real time, as intelligence and news reports drive the simulation, shedding light on how the difficult split-second decisions must be made to respond to an unfolding and often unseen threat.
Image ©iStockphoto.com/ Vladimir Mucibabic