Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/27/2011
03:07 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Feds Identify Top 25 Software Vulnerabilities

Department of Homeland Security worked with non-profits and the private sector to come up with a list of the most worrisome threats and how organizations can mitigate them.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
The Department of Homeland Security on Monday announced detailed guidance for how software companies and others writing code can avoid the most widespread and serious vulnerabilities in software.

Working with technology research non-profit Mitre and security training organization the SANS Instittute, as well as a number of private sector organizations from Apple to Oracle, DHS' National Cyber Security Division drew up a list of software vulnerabilities called the Common Weakness Enumeration, developed a scoring system and risk analysis framework for evaluating the seriousness of the flaws and prioritizing the weaknesses, and released a top 25 list of the most dangerous software errors.

The list includes high-level overviews and examples of each of the vulnerabilities, common consequences of the problem, likely modes of detection and attack, and potential mitigations for each type of attack at various steps in the software development process.

Initiative leaders anticipate that the Common Weakness Enumeration, top 25 list, and scoring system will let users compare weaknesses, educate themselves, and prioritize their security efforts. This isn't the first release of the top 25 list or of the Common Weakness Enumeration, but is the first one to take as detailed and data-intensive look at the vulnerabilities, thus making it significantly more useful than previous versions, initiative leaders said on a conference call about the effort.

"This will allow agencies and organizations to take a tactical approach to addressing vulnerabilities." Will Pelgrin, director of the Multi-State Information Sharing and Analysis Center, a collaborative cybersecurity effort that includes state and local governments, said on the call. "I see this as a management tool to focus the team on things that are the greatest threat and that have the greatest consequences."

Atop this year's list are SQL injection flaws, which are the most serious due to their common nature and the ease and frequency of exploit online. Other top vulnerabilities include operating system command injection, classic buffer overflow, and cross-site scripting.

The effort is exemplary of the increasing frequency with which DHS is collaborating with the private sector on cybersecurity efforts. In addition to this initiative, for example, DHS' National Cybersecurity and Communications Integration Center has private sector reps working side by side with feds to uncover and address vulnerabilities in their systems, and the IT sector has worked on a major risk assessment effort with DHS.

"Whether you call it partnership or collaboration, the relationship between the government and the private sector has been on the increase," Joe Jarzombek, director for software assurance at the National Cyber Security Division, said on the call.

The scoring system takes into consideration the potential technical and business impacts of exploited weaknesses, the operational layer to which the attacker might gain access (i.e. application-level versus, say, network-level), the effectiveness of available mitigating controls, the privilege level needed to access the vulnerability, the likelihood of discovery and exploit of the weakness, and more.

What industry can teach government about IT innovation and efficiency. Also in the new, all-digital issue of InformationWeek Government: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...