ID: IRCNE2011071164
Date: 2011-07-02
According to “eSecurity Planet”, SANS was out last week with its annual CWE/SANS Top 25 Most Dangerous Software Errors Report for 2011. According to a number of security industry professionals it's a list that isn't necessarily highlighting new trends, but rather than old problem continue to persist.
At the top of the list for 2011 is SQL Injection, which should come as no surprise to anyone that has followed the recent spate of breaches.
"SQL injection was the vulnerability behind the Sony, Infraguard, and other recent attacks. Yet no matter if it's No. 1 or No. 4 or No. 10, it always has been one of the primary causes of significant data breaches in the past, and it will continue to be for many years to come.", said managing partner at security research firm Stach & Liu.
In 2010, SQL Injection came in at No. 2 on the SANS list behind Cross Site Scripting.
"Given the types of hacks that made the news in the last 12 months it’s not surprising that SQL Injection is high on the list," said Mike Shema, engineering lead for the Qualys Web application scanning service. "What is surprising is that the countermeasures to SQL injection are well-known, effective, and available in all of the major programming languages used in web apps for at least half a decade." Shema added that the prevalence of malware has shown that software errors in Web browsers seem to be more interesting targets (in terms of sheer numbers) than bugs in websites.
Looking beyond SQL Injection, the SANS report ranked 'OS Command Injection' as No. 2. Coming in third is the classic Buffer Overflow while Cross-Site Scripting (XSS) came in fourth. In the fifth spot, is Missing Authentication for Critical Function.
- 2