The Public Eye with Eric Chabrow

Getting Down to Basics

Exploiting the Growing Catalog of Solid Infosec Best Practices

What's significant isn't the list of specific errors highlighted, but the fact that steps can be taken to mitigate the vulnerabilities that threaten IT systems and their data that don't require big investments.

The release of the list of 25 most dangerous programming errors coincides with the issuance by the not-for-profit government contractor MITRE and the Department of Homeland Security of the Common Weakness Scoring System and the Common Weakness Risk Analysis Framework, initiatives aimed at identifying vulnerabilities in software.

If every buyer asks for a report showing how well the developer did on the top 25, it will be a very short time before the programmers stop making those errors because sending a report saying they made the errors is the same as saying the programmers are incompetent. 

The list of dangerous programming errors, along with the Common Weakness Scoring System and the Common Weakness Risk Analysis Framework, can help buyers of technology get the makers of technology to build less vulnerable wares. "It provides the first incentive system to persuade programmers and software companies that security flaws must be fixed before they deliver the code to the users," says SANS Institute Research Director Alan Paller. "If every buyer asks for a report showing how well the developer did on the top 25, it will be a very short time before the programmers stop making those errors because sending a report saying they made the errors is the same as saying the programmers are incompetent."

No one suggests that IT security is easy or cheap; it's not. But implementing processes that can reduce risk without the heavy dose of dollars pays off with securer systems.

Take, for instance, the often maligned check-list approach to IT security government agencies are compelled to follow under the Federal Information Security Management Act. A movement is well underway to move away from paper compliance - one that shows agencies are complying with specific IT security requirements - to one of continuously monitoring computers and networks to show how secure they are. That's good. Still, there is value in the checklist. One of the most respected computer scientists, Ron Ross of the National Institute of Standards and Technology, believes organizations that properly comply with the checklist have greater security than those that do not (see NIST Scientist: FISMA Rules Constructive).

"Compliance could be interpreted as meeting the OMB checklist requirements; it could also be interpreted as meeting the NIST standards and guidelines," said Ross, NIST senior computer scientist and project leader for the institute's FISMA implementation project. "Complying with the provisions of FISMA, which include the standards and guidelines, will by definition, make your system more secure."

The same can be said of the consensus audit guidelines, or CAG, the 20 most important security controls organizations can implement to protect their IT systems (see New Guidelines: Top 20 Cybersecurity Controls).

Former Air Force Chief Information Officer Jim Gilligan, the force behind CAG, says organizations have the ability to implement the basic safeguards needed to protect cyber systems from the relatively unsophisticated attackers who represent the vast majority of the threat (see No-Brainer: How Agencies Can Secure IT). "While these so-called good-hygiene control areas will not ensure that the trillions of logic statements are absolutely correct, they provide a solid foundation level of security needed to thwart relatively unsophisticated attackers: the 80 percent of the problem," he says. "The 20 critical controls are not intended to provide absolute security, but implementing them has proven to dramatically improve the ability of complex systems to withstand the majority of attacks."

What all of these initiatives have in common is that they were created by some of the smartest IT security practitioners from government and the private sector, and they're available for free. Take advantage of them.



About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.in, you agree to our use of cookies.