New US software guidelines aim to thwart hackers

NEW YORK: Software developers worried about guarding against hacker attacks now have a new tool to help them identify common bugs.

The US government on Monday issued an updated list of the 25 most dangerous software errors and guidelines to help programmers identify and avoid them.

The system aims to plug common security holes that hackers have used to attack such companies as Lockheed Martin and Sony Corp.

Software consumers can now ask the developers for a standard security score intended to make software writers more vigilant in keeping bugs out.

"The developer of the software isn't going to show a low score," said Alan Paller, research director at SANS Institute, a computer security training company. "He's going to fix the problem. Because how can you possibly say, 'I'm going to sell you something that's dangerous?'"

The list of software vulnerabilities issued by the Department of Homeland Security and MITRE, a government-backed research organisation, has been issued once a year since 2009.

Number one on the latest list was a security hole called SQL injection that allowed hacker group LulzSec to break into Sony and into InfraGard, an outreach center used by the Federal Bureau of Investigation to liaise with private business.

Giving the software errors a common name was a vital step in creating the standardised scoring system.

Many companies that analyse software for bugs reported the same bugs using different names, making a security scoring system nearly impossible. Now, MITRE is pushing for companies that analyse software to adopt a common language, called common weakness enumeration, and the new scoring system.

Software analysers Fortify, owned by Hewlett-Packard, and privately held Cenzic announced they would use MITRE's language and scoring system.

Many of the software errors that hackers exploit should be considered low-hanging fruit by now. SQL injection, for example, has been a known problem in the industry for years.

But part of the reason seemingly simple holes in security exist is because there are no real standards for teaching secure software coding.