List of Top 20 Software Flaws Due

The focus will be on fixes Wednesday, when the U.S. General Services Administration unveils its list of the top 20 Internet security vulnerabilities to a gathering of government chief information officers and IT professionals.

This is the third year that the GSA has released the list publicly. Compiled by the nonprofit SANS (Sysadmin, Audit, Network, Security) Institute and the FBI's National Infrastructure Protection Center (NIPC), the list is intended to raise awareness of serious computer vulnerabilities and give administrators a way to determine priorities for patching vulnerabilities.

Wednesday's event at the GSA offices is expected to draw attendance by around 350 people, most from the government IT community.

Tools Pitched

Past lists have covered three categories: general vulnerabilities, Windows vulnerabilities, and Unix vulnerabilities. Security vulnerabilities noted in previous editions of the list have ranged from very broad issues such as the failure to maintain complete system backups, to very specific platform and product vulnerabilities such as programming flaws in the Remote Data Services component of Microsoft's Internet Information Server.

Unlike past years, however, this year's conference will do more than just raise red flags. Underscoring the Bush administration's stated desire to enlist the private sector in the job of securing the nation's IT infrastructure, representatives from leading network vulnerability assessment companies will attend. They will describe tools and services their companies offer that can detect and remove many of the leading common vulnerabilities and exposures on this year's list, says a source involved in planning the event. Participating vendors include Qualys, Foundstone, and Internet Security Systems.

Those companies and others have worked closely with the SANS Institute and agencies within the government over the past four months to compile the list, according to the source.

Sharing Tactics

Apart from the announcements about vulnerabilities, the conference will highlight NASA's program to thwart Internet attacks on its network of over 120,000 machines, according to the source. That program relies on sharing information about vulnerabilities and attacks between different IT groups within an organization, creating a transparent and competitive environment in which IT managers are judged by the security of their systems.

The GSA is expected to present NASA's program as a model that other government agencies and private companies could use to reduce the number of attacks on their own systems.

The GSA will also announce an initiative to expand the government's Safeguard program to help audit the government's own systems for common vulnerabilities.

The Safeguard program is run by the Center for Information Security Services and provides professional services and products to agencies of the federal government to help protect those agencies against potential threats.

Although targeted at IT professionals working within the federal government, the yearly announcement of the 20 top Internet vulnerabilities from the FBI and SANS is recognized by many within the security industry as a benchmark of sorts. It is regarded as a list of vulnerabilities, many of them targeted by high-profile worms or viruses such as the recurring Code Red and the recent Slapper, that must be addressed for a Web site or corporate network to be considered secure.