Second on the top 25 software flaw list is OS command injection flaw, third is classic buffer overflow, and fourth is cross-site scripting.
In its annual list of software flaws, Mitre and the SANS Institute rank the vulnerabilities according to how easy they are to find and attack. “They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all”, the organizations explained.
The 2011 software flaw list is prioritized using input from more than 20 organizations, which evaluate each weakness based on prevalence, importance, and likelihood of exploitation.
The list is intended to assist programmers in preventing future flaws, software customers in purchasing more secure software, and researchers in focusing their software research, Mitre and the SANS Institute explained.
The highly publicized attack by Lulzsec on Sony involved the use of SQL injection. Lulzsec boasted that they used a “very simple SQL injection” to access “everything” on the SonyPictures.com site.
Commenting on the top 25 software flaw list, Alan Paller, director of research at the SANS Institute, told Infosecurity that there is currently “no incentive for software builders to deliver secure software because buyers cannot determine whether important programming errors were left in the code. And because buyers and development managers don’t measure it, developers don’t focus on getting the flaws out.”
Paller said that the new prioritized scoring system used in the top 25 list enables software buyers to provide feedback to software developers, who then have an incentive to fix the vulnerabilities earlier in the development process.
In releasing the top 25 list Monday, Robert Martin, principal engineer with Mitre, noted that OS command injection and classic buffer overflow are making a comeback in terms of exploitation.
Martin said that this year the top 25 software flaws are broken up according to category: insecure interaction between components (including SQL injection, OS command injection, and cross-site scripting), risky resource management (including classic buffer overflow), and porous defenses. He said that flaws in the last category are the most difficult to prevent because “these are the kinds of problems you get when you expect every single programmer to do every single thing right….These areas are really problematic because they are very complicated and intricate”.