Most of the last year’s high profile hacking attacks could easily have been avoided, according to a Federal study.
In conjunction with non-profit research outfit Mitre and training organization the SANS institute, the Department of Homeland Security has drawn up a list of the most common flaws.
The attacks on Sony, PBS and HGary were all carried out using SQL injection techniques, for example, which the study says can be easily and cheaply prevented. And the May attack on Citibank was carried out using ‘missing authorization’which is similarly fixable.
SQL injection is rated as the most dangerous vulnerability, followed by OS command injection.
“SQL injection delivers the knockout punch of security weaknesses in 2011. For data-rich software applications, SQL injection is the means to steal the keys to the kingdom,” says the report.
“OS command injection is where the application interacts with the operating system. The classic buffer overflow comes in third, still pernicious after all these decades. Cross-site scripting is the bane of web applications everywhere. Rounding out the top five is Missing Authentication for critical functionality.”
For the first time, the report provides tools and recommendations to help companies fix vulnerabilities in their systems. Some of these are both rather obvious and easier said than done: “Establish and maintain control over all of your inputs,” for example.
But the aim is laudable: to persuade developers and software firms to try and fix vulnerabilities before, rather than after, shipping the code.
“The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped,” says the report.