The annual CWE (Common Weakness Evaluation)/SANS Top 25 Most Dangerous Software Errors discusses the biggest threats that software makers and large IT organizations face and how to avoid them. Each threat is evaluated and graded based on its prevalence, importance, and the likelihood that bad guys will try to take advantage of the exploit.
Topping this year’s list are threats such as SQL injection, classic buffer overflow, cross-site scripting, cross-site request forgery, and failure to encrypt sensitive data. If those threats sound familiar, that’s because several of these exploits were used to steal data sitting on corporate servers this year. If you’re interested in reading it you can find the 2011 CWE report here, but here’s a look at some of the highlights from this year’s top 25 software threats.
SQL injection
SQL injection was responsible for many high-profile attacks including LulzSec’s hacks into Sony Pictures and PBS, as well as Anonymous’ intrusion into the network of security company HBGary Federal. This hack was even used to break into Oracle’s MYSQL.com.
After hacking into Sony Pictures LulzSec called SQL injection, “one of the most primitive and common vulnerabilities.”
Missing authorization
Missing encryption of sensitive data
It’s bad enough when a company or organization makes it easy for the bad guys to break in, but it gets worse when critical data such as account passwords are sitting there unencrypted. LulzSec gained access and later released more than 62,000 plain text passwords stolen from various databases.
Threats aplenty
For security fans looking to learn about the biggest threats in software for 2011 the report has more details to spill. For example, the report also discusses how the Stuxnet worm, which disabled Iranian nuclear sites, used hard coding to wreak havoc on computer systems. If you have any interest in computer security, the CWE report is well worth a read.
Connect with Ian Paul ( @ianpaul ) and Today@PCWorld on Twitter for the latest tech news and analysis.