The U.S. Department of Homeland Security, in collaboration with The MITRE Corporation, recently released the Common Weakness Enumeration version 2.0, a best-practice guide for mitigating weaknesses in software based on the advice of experts from the government, software industry and academic thought leaders.
The MITRE Corporation, a not-for-profit agency that assists the government and other agencies with private sector issues, also released a list of the top 25 most dangerous software errors in order to point out areas developers need to be more aware of in future development projects.
MITRE cites missing authorization, use of hard-coded credentials and downloading code without integrity checks as among the most dangerous errors.
The DHS, in a blog post on June 27, said the project was completed under its National Cybersecurity Division under the Software Assurance Program, which works with the private sector “to spearhead the development of practical guidance and tools while promoting research and development of secure software engineering.”
The guidelines are meant to give software development teams a best-practice development guide in order to reduce the amount of vulnerabilities in their software. Some of the best practices include examples of known vulnerabilities, platforms that are most susceptible to them, and other examples of known malware threats, as well as a checklist for developing secure code with those weaknesses in mind.
Idappcom, an independent data traffic analytics and security firm, believed that these weaknesses can be attributed to the human element in software development, which was confirmed by the DHS in a recent survey.
DHS staff, according to Ray Bryant, Idappcom’s CEO, dropped data disks and USB sticks in the parking lots of government agencies in order to see who might find them and access the information. The DHS found, according to Idappcom’s release, that 60% of these data disks and USB sticks were inserted into government-owned computers.
“This observation—the proof of anecdotal evidence if you will—has ramifications in all aspects of IT security, and especially, I believe, when it comes to network security, as it also shows you cannot rely on staff installing IT security systems properly,” Bryant said.
He added that this is an indication that, in his opinion, the best way to combat these errors is to use “automated and effective auditing of the security appliance and allied systems, which then assists the IT security management about which areas of network/IT system security needs tightening up.”