E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: The New York Times

Posted on June 30, 2011

The Homeland Security Department plans to unveil a new system of guidance intended to help make the software behind many services - be they Web sites or power grids - less susceptible to hacking.

The system includes an updated list of the top 25 programming errors that enable today's most serious hacks. To help make the list more useful, it adds new tools to help software programmers eliminate the most dangerous types of mistakes and enable organizations to demand and buy more secure products.

The effort to improve software security has been three years in the making, according to Robert A. Martin, principal engineer at Mitre, a technology nonprofit that conducts federal research in systems engineering.

The Homeland Security Department's hope is that the program, which is voluntary, will make it easier for companies and agencies to better secure their corners of cyberspace and contribute to building safer global networks.

"We're going after root cause issues," said a senior department official, who declined to be named because the announcement of the new plans had not yet been made. "You can make your enterprise more resilient from the people who would attack you."

The top 25 list was created by the nonprofit SANS Institute and Mitre with the help of top software security experts in the United States and Europe, and it includes programming errors that have been used in a number of recent headline-grabbing hacking attacks.

For instance, No. 1 on the list is a programming mistake that allows so-called SQL-injection attacks on Web sites, which were successfully used by the hacker group LulzSec. That group was able to use the flaws to cause databases to spit out user names and passwords from Web sites, including one associated with the F.B.I.'s InfraGard program and NATO's online bookstore.

The list also warns about the type of error that allowed hackers to steal several hundred thousand credit card numbers from a Citigroup site recently.

The guidance framework will include "vignettes" for industries like e-commerce, banking and manufacturing, and will highlight for them which programming errors are of greatest concern in the types of technologies they use.

Companies that make tools to test software for dangerous programming mistakes are already beginning to incorporate the frameworks into their products, said Alan Paller, head of research at SANS. And eventually there will be services that help businesses evaluate whether the software they're considering buying has stood up to scrutiny.

Avoiding common programming mistakes is vital to fending off today's worst attacks, he said. "This is the only way to get around 'zero days,' " he said, referring to attacks that make use of software vulnerabilities that are unknown and, therefore, cannot be fixed quickly with patches. "The only possible defense is to stop the error from being in the software in the first place."

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.