Content

A giant step for business security

Right before going to press for this edition of SC Magazine, SANS' Alan Paller alerted me to an impending industry announcement that, he said, would be “of interest to business people – not just techies” and “change the way organizations buy software, right away.”

Now, while the last point will need time to be proven, the first seems accurate enough. Jointly made by over 30 cybersecurity organizations, the announcement centered on the release of the first consensus list of the 25 most important programming errors that lead to security bugs, which often enable various types of cybercrime. The release offers in-depth guidance on how to fix these holes.

A couple of things made this different from previous lists. First was the breadth of involvement from experts at various private, public and educational institutions from around the globe. Second was the push for its creation by the NSA, and financial support coming from DHS's National Cyber Security Division.

But perhaps, most importantly, this list moves beyond the vulnerabilities that result from programming errors to the actual mistakes that developers make that create the holes in the first place. And this means that this consensus list, which saw the participation from so many industry experts in its creation, and its associated and regularly updated websites (www.sans.org/top25 and cwe.mitre.org/top25) offer details on how to mitigate against these all too common, but often lethal mistakes. 

According to experts behind the release of this list, these highly misunderstood errors made by programmers can have a huge impact on a company's ability to stay up and running. “Just two of them led to more than 1.5 million website security breaches during 2008 – and those breaches cascaded onto the computers of people who visited those websites, turning their computers into zombies,” the press release noted.

During a press conference right after the announcement, an NSA spokesperson said that the shared creation and release of such critical programming errors and the detailed fixes for them will prompt a huge change in the way organizations tackle security. And if that means safer computing environments that see more programmers better understanding how to integrate security into the software they're building, then it's a big step in the
right direction.

Illena Armstrong is editor-in-chief of SC Magazine.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.