SANS is out this week with its annual CWE/SANS Top 25 Most Dangerous Software Errors Report for 2011. The list doesn’t necessarily highlight new trends, but rather puts the spotlight on known issues that continue to persist.
At the top of the list for 2011 is SQL Injection, which should come as no surprise to anyone that has followed the recent spate of breaches.
“Everyone seems to be focusing on the fact that SQL injection made it to No. 1 this year, but I find myself thinking, so what?” Vincent Liu, managing partner at security research firm Stach & Liu told InternetNews.com. “SQL injection was the vulnerability behind the Sony, Infraguard, and other recent attacks. Yet no matter if it’s No. 1 or No. 4 or No. 10, it always has been one of the primary causes of significant data breaches in the past, and it will continue to be for many years to come.”
Liu is not alone in his lack of surprise at seeing SQL Injection at the top of the list. In 2010, SQL Injection came in at No. 2 on the SANS list behind Cross Site Scripting.That said, the fact there is still an indirect surprising fact associated with SQL Injection’s top billing.
“Given the types of hacks that made the news in the last 12 months it’s not surprising that SQL Injection is high on the list,” Mike Shema, engineering lead for the Qualys Web application scanning service told InternetNews.com. “What is surprising is that the countermeasures to SQL injection are well-known, effective, and available in all of the major programming languages used in web apps — for at least half a decade.”
Looking beyond SQL Injection, the SANS report ranked ‘OS Command Injection’ as No. 2. Coming in third is the classic Buffer Overflow while Cross-Site Scripting (XSS) came in fourth. In the fifth spot, is Missing Authentication for Critical Function.
“A surprising thing about the list is the lack of obvious client-side problems,” Qualys’ Shema said. “Several of the software errors like buffer overflows (CWE-120) or others in the Risky Resource Management category could, and probably do, apply to Web browsers.”
Shema added that the prevalence of malware has shown that software errors in Web browsers seem to be more interesting targets (in terms of sheer numbers) than bugs in websites.
“It would be inadvisable to glance over this list and assume that only Web developers need to fix their sites,” Shema said. “If you’re using an outdated browser or haven’t kept the browser’s plug-ins up to date, then you’ve exposed yourself to plenty of attacks that will exploit these kinds of errors.”
Marcus Carey, security researcher at Rapid7, also is in the camp of those who aren’t impressed or surprised by this latest attempt to list vulnerabilities.
“This report is more of the same type of guidance we’ve been seeing for years,” Carey told InternetNews.com. “Securing Web applications and programming in general is tough and the Internet is full of amateur (skill-wise) Web application developers creating poorly designed custom applications.”
Carey noted that while reports analyzing the top software flaws provide good insight into where the issues lie, they don’t help address the problem.
“The best thing we can do for web application security is to encourage the use of frameworks and secure coding examples in development as they mitigate most Web application threats,” Carey said. “The frameworks can be updated and patched, which mitigates future risks, as well.”