Upload File

top 25 software errors identified

1
I ncident response is a key part of the profile of any organisation. For many customers, how problems are handled is an important part of their relationship with that business. For some organisations, how incidents are handled is a core part of their effectiveness. For that reason, key organisations have invested time and money in their incident response capability. This article looks at a dimension to that provi- sion that is often overlooked: the third dimension of ‘backstage’ provision and support. This oversight could well lead to higher staff turn over and lower efficiency. How can that be avoided? Wendy Goucher explains. Continued on page 16... Featured this month: Three-dimensional incident management ISSN 1361-3723/10 © 2010 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. NEWS Top 25 software errors identified 1 Trustwave: Businesses making same security mistakes 2 US embarrassed in cyberattack simulation 2 IE 8 reaches top browser slot 3 FEATURES The (in)consistent naming of malcode 5 For many years, anti-malware companies have each stuck to their own naming conventions when discovering new malware strains. That can be confusing for the people who write about new viruses, trojans, and worms - but does anyone else care? Tom Kelchner of Sunbelt Software gives an anti-virus company’s perspective. A fractured reaction to the Christmas bomber 8 Neil Fisher, vice president global security solutions at Unisys, talks about why full body scanners may be a red herring in the fight against terrorism. A new strategy for the protection of intellectual property 8 Meenu Gupta explores the meaning of intellectual property in a world rife with peer to peer filesharing and other technologies designed to make information flow like water through corporate boundaries., Software ownership: Where does it lie when it comes to M&A and outsourcing? 11 With the rise of new software consumption models, how does the ownership of software change, and what are the legal ramifications for companies? Fraud 2009 bad, 2010 better? 13 Jim Gee, director of counter fraud services at McIntyre Hudson LLP, discusses the worst frauds of 2010, and makes predictions for the next year. Three-dimensional incident management 16 Incident response is an important part of busi- ness’s activity. An effective team needs to be well trained and managed, but it also needs good sup- port. Wendy Goucher explains the oft-overlooked third dimension of incident management. UK police computer audit logging and control technology in the spotlight 18 The need for protective monitoring and auditing of activity on police computers has never been greater, argues Tim Ellsmore, managing director of 3ami, a Lancashire-based IT security company that recently carried out an in-depth survey into UK police management’s attitudes to the technology REGULARS Editorial 3 News in brief 4 Calendar 20 Contents computer FRAUD & SECURITY ISSN 1361-3723 February 2010 www.computerfraudandsecurity.com T he SANS Institute and Mitre have come together to update their annual list of top 25 software pro- gramming security bugs. SQL injec- tion is the number one danger to software customers, according to the organisations. SANS and Mitre have made several improvements over the 2009 program- ming errors list. Focus profiles have been created to explain how software weaknesses relate to real-world scenari- os. The new list also ranks items using a survey of 28 organisations who pri- oritised bugs based on their prevalence and importance. After SQL injection, classic buffer overflow was public enemy number two in terms of application security. Cross-site scripting came a close third, followed by operating system command injection. The fifth-ranked programming security error was the unrestricted upload of a file with a dangerous type. Cross-site request forgery, while increasingly common in web application attacks, failed to make the top five, resting instead in sixth place. The bugs were ranked according to importance and prevalence. Each of these parameters were used to assign a sub-score to a bug. The importance sub-score was squared, and then added to the prevalence sub-score to achieve the final result, thus giving importance much more weight. The study also produced a separate ranking focusing purely on the techni- cal impact of each weakness. “Note that skilled attackers can combine multiple weaknesses into a single, larger attack that is more severe than any of its parts,” the report said. Several weaknesses that were identi- fied last year, including input validation, have been moved to a separate section called Monster Mitigations. “A number of general purpose CWE entries were removed from the top 25 because they overlap other items,” said Mitre. “This also made room for other, more specific weaknesses to be listed.” Continued one page...5 Top 25 software errors identified

Post on 19-Sep-2016

216 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: Top 25 software errors identified

Incident response is a key part of the profile of any organisation. For

many customers, how problems are handled is an important part of their relationship with that business. For some organisations, how incidents are handled is a core part of their effectiveness.

For that reason, key organisations have invested time and money in their

incident response capability. This article looks at a dimension to that provi-sion that is often overlooked: the third dimension of ‘backstage’ provision and support. This oversight could well lead to higher staff turn over and lower efficiency. How can that be avoided? Wendy Goucher explains.

Continued on page 16...

Featured this month:Three-dimensional incident management

ISSN 1361-3723/10 © 2010 Elsevier Ltd. All rights reservedThis journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use:PhotocopyingSingle photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

NEWSTop 25 software errors identified 1Trustwave: Businesses making same security mistakes 2US embarrassed in cyberattack simulation 2IE 8 reaches top browser slot 3

FEATURESThe (in)consistent naming of malcode 5For many years, anti-malware companies have each stuck to their own naming conventions when discovering new malware strains. That can be confusing for the people who write about new viruses, trojans, and worms - but does anyone else care? Tom Kelchner of Sunbelt Software gives an anti-virus company’s perspective.

A fractured reaction to the Christmas bomber 8Neil Fisher, vice president global security solutions at Unisys, talks about why full body scanners may be a red herring in the fight against terrorism.

A new strategy for the protection of intellectual property 8Meenu Gupta explores the meaning of intellectual property in a world rife with peer to peer filesharing and other technologies designed to make information flow like water through corporate boundaries.,

Software ownership: Where does it lie when it comes to M&A and outsourcing? 11With the rise of new software consumption models, how does the ownership of software change, and what are the legal ramifications for companies?

Fraud 2009 bad, 2010 better? 13Jim Gee, director of counter fraud services at McIntyre Hudson LLP, discusses the worst frauds of 2010, and makes predictions for the next year.

Three-dimensional incident management 16Incident response is an important part of busi-ness’s activity. An effective team needs to be well trained and managed, but it also needs good sup-port. Wendy Goucher explains the oft-overlooked third dimension of incident management.

UK police computer audit logging and control technology in the spotlight 18The need for protective monitoring and auditing of activity on police computers has never been greater, argues Tim Ellsmore, managing director of 3ami, a Lancashire-based IT security company that recently carried out an in-depth survey into UK police management’s attitudes to the technology

REGULARSEditorial 3News in brief 4Calendar 20

Contents

computerFRAUD & SECURITYISSN 1361-3723 February 2010 www.computerfraudandsecurity.com

The SANS Institute and Mitre have come together to update their

annual list of top 25 software pro-gramming security bugs. SQL injec-tion is the number one danger to software customers, according to the organisations.

SANS and Mitre have made several improvements over the 2009 program-ming errors list. Focus profiles have been created to explain how software weaknesses relate to real-world scenari-os. The new list also ranks items using a survey of 28 organisations who pri-oritised bugs based on their prevalence and importance.

After SQL injection, classic buffer overflow was public enemy number two in terms of application security. Cross-site scripting came a close third, followed by operating system command injection. The fifth-ranked programming security error was the unrestricted upload of a file with a dangerous type. Cross-site request forgery, while increasingly common in web application attacks, failed to

make the top five, resting instead in sixth place.

The bugs were ranked according to importance and prevalence. Each of these parameters were used to assign a sub-score to a bug. The importance sub-score was squared, and then added to the prevalence sub-score to achieve the final result, thus giving importance much more weight.

The study also produced a separate ranking focusing purely on the techni-cal impact of each weakness. “Note that skilled attackers can combine multiple weaknesses into a single, larger attack that is more severe than any of its parts,” the report said.

Several weaknesses that were identi-fied last year, including input validation, have been moved to a separate section called Monster Mitigations. “A number of general purpose CWE entries were removed from the top 25 because they overlap other items,” said Mitre. “This also made room for other, more specific weaknesses to be listed.”

Continued one page...5

Top 25 software errors identified

ERISA COMPLIANCE AND ERRORS Top Ten Mistakes Marcia S. Wagner, Esq

CWE - 2010 CWE/SANS Top 25 Most Dangerous Software Errors

AP Calculus AP Review. Top 10 Errors on the AP Calculus Exam alc2004/examprep.html

The top 5 typical errors with flexible circuit

FY 2010 Top Management and Performance Challenges Identified by the Office of Inspector General

KNOWLEDGE REVIEW AND AGENDA SETTING FOR FUTURE …wrcwebsite.azurewebsites.net/wp-content/uploads/... · publications identified per year, top publishing institutions, top publishing

Transferable Skills Identified from 2014's Top Industries

Top Medication Errors Webinar Final (003) · 2019-12-18 · Microsoft PowerPoint - Top Medication Errors Webinar_Final (003).pptx

Top Ten Billing Errors: J1 Part B - Santa Clara County ... filing error ... Control improper coding ... Top Ten Billing Errors: J1 Part B Author: BCBSSC Created Date:

Bootstrapping - The Top 10 errors

How to Avoid Common Coding Errors - Amazon Web Servicesaapcperfect.s3.amazonaws.com/a3c7c3fe-6fa1-4d67-8534-a3c9c8315fa0/... · How to Avoid Top Coding Errors How to Avoid Common

Yuzz 2013 - TOP 5 ERRORS DE L'EMPRENEDOR GIRONÍ

XD - Top 10 Mistakes Identified When Doing Desktop Virtualization

The Top Common Errors in Assessing Mitral Regurgitation · The Top Common Errors in Assessing Mitral Regurgitation Paul A. Grayburn, MD Baylor Scott and White Healthcare System The

2002 PROPERTY AND CASUALTY MARKET …...2003/01/03  · Forty (40) files were examined for the agents/MGA/advertising review. Twenty-eight (28) errors were identified. The errors were

Top 10 Errors To Avoid In Marketing Research

Reducing Aircraft Climb Trajectory Prediction Errors with ... · American Institute of Aeronautics and Astronautics 1 Reducing Aircraft Climb Trajectory Prediction Errors with Top-of-Climb

FY 2008 Top Management and Performance Challenges Identified by the of the Inspector General

Governor Appoints Board Members Top 10 CPA Exam Process Errors

The Top Ten Errors (and Misconceptions) in LED Photometry

1387.2 - Final PSD · Web viewESC noted that the Critique identified and corrected a number of calculation errors in the economic model presented in the resubmission. The errors significantly

Errors in Top-Down Parsing

TOP FIVE ERRORS IN POLICIES AND PROCEDURES...TOP FIVE ERRORS IN POLICIES AND PROCEDURES Steven Spillan, Esq. [email protected] AGENDA •Top 5 errors in policies and procedures •Examples,

2009 CWE/SANS Top 25 Most Dangerous Programming Errors

Top 10 Errors of Writing about Literature

Top 10 Errors in ENT Coding and Documentationaapcperfect.s3.amazonaws.com/a3c7c3fe-6fa1-4d67-8534-a3c9c8315fa0/...Top 10 Errors in ENT Coding and Documentation. Candice Fenildo, CPC,

Errors identified by the software have been corrected ... · Errors identified by the software have been corrected; ... Ffolliott, Peter H, Ortega-Rubio, Alfredo, Gottfried, Gerald

Change Requests to GSM 09.02 Clarification and ... · SubscriberBusyForMT-SMS, SM-DeliveryFailure, MessageWaitingListFull FROM MAP-Errors {ccitt identified-organization (4) etsi (0)

Cardiology Updates, 2011; Top Ten Errors to Avoidstatic.aapc.com/...bdc28fea95c1/646caa6b-55d1-430a-bcb1-fd35994… · Cardiology 2011Updates Top Ten Errors to Avoid Presented by

Top 5 most common errors of exchange server

Staying safe from barbecue fires this summerThe audit found the top 10 defects and top 10 postcodes where defects were identified for 2017. A total of 4701 defects were identified

Top Algebra Errors Made by Calculus Students - calvin.eduscofield/courses/materials/tae.pdfTop Algebra Errors Made by Calculus Students Thomas L. Sco eld Assistant Professor of Mathematics

NAFDAC GOOD PHARMACOVIGILANCE PRACTICE GUIDELINES … · 2020-07-03 · 3.55. Medication errors identified during product development including clinical trials should be discussed

Top of the 9th over - 3 runs, 2 hits, O errors, O left on ...€¦ · Top of the 9th over - 3 runs, 2 hits, O errors, O left on base; Toronto 1985 4- Homestead 1931 11 21 Powered

Top 10 Errors in ENT Coding and Documentation...Top 10 Errors in ENT Coding and Documentation Candice Fenildo, CPC, CPMA, CPB, CPC-I, CRHC, CENTC, AAPC Fellow Agenda • Surgical Guidelines