* Scoring system for software security unveiled
* System will prioritize company-specific threats
* Aims to fix common software errors exploited by hackers
By Roy Strom
NEW YORK, June 27 (Reuters) - Software developers worried about guarding against hacker attacks now have a new tool to help them identify common bugs.
The U.S. government on Monday issued an updated list of the 25 most dangerous software errors and guidelines to help programmers identify and avoid them.
Software consumers can now ask the developers for a standard security score intended to make software writers more vigilant in keeping bugs out.
“The developer of the software isn’t going to show a low score,” said Alan Paller, research director at SANS Institute, a computer security training company. “He’s going to fix the problem. Because how can you possibly say, ‘I’m going to sell you something that’s dangerous?’”
The list of software vulnerabilities issued by the Department of Homeland Security and MITRE, a government-backed research organization, has been issued once a year since 2009.
Number one on the latest list was a security hole called SQL injection that allowed hacker group LulzSec to break into Sony and into InfraGard, an outreach center used by the Federal Bureau of Investigation to liaise with private business.
Giving the software errors a common name was a vital step in creating the standardized scoring system.
Many companies that analyze software for bugs reported the same bugs using different names, making a security scoring system nearly impossible. Now, MITRE is pushing for companies that analyze software to adopt a common language, called common weakness enumeration, and the new scoring system.
Software analyzers Fortify, owned by Hewlett-Packard (HPQ.N), and privately held Cenzic announced they would use MITRE’s language and scoring system.
Many of the software errors that hackers exploit should be considered low-hanging fruit by now. SQL injection, for example, has been a known problem in the industry for years.
But part of the reason seemingly simple holes in security exist is because there are no real standards for teaching secure software coding.
Coders come from backgrounds as diverse as being completely self-taught to having degrees from Harvard. Paller said the majority of code writers were never taught how to write secure code.
“If they’ve never been taught it, and no one asks them and no one checks, then they don’t do it, because they don’t know how to do it,” Paller told Reuters.
Paller said he ruffled feathers in the industry when he offered cash prizes for students who found security flaws in the books that were teaching them to write code.
Joe Jarzombek, head of the program at the Department of Homeland Security, said the top 25 list is like a checklist that software writers now can base against and certify the software they write is free of those mistakes.
“It’s a great service to people who otherwise think, ‘I’m a victim. I can’t do anything about software,’” he said in an interview. (Reporting by Roy Strom; Editing by Gary Hill)