Report says high profile attacks could have been avoided easily.
Mitre, a US federal contract research laboratory, released a security analysis on Monday that addressed some of the high profile Data Breach incidents over the past year. It says that the attacks were carried out using mostly well-known software flaws, and could have been prevented with adequate testing.
It pointed to the attack on Sony Pictures as an example of an SQL-injection attack. It called SQL-injections the most dangerous flaw for web services, as it can allow outsiders to gain access to possible sensitive information or resources on servers.
The sixth most dangerous flaw it identified as "missing authorization," and pointed to the theft of records of credit card users from Citigroup in May. Identifying and fixing the flaws has a "low to medium cost", according to the report.
Complaints about flawed programming and architecture have gotten noisier in recent times. Programmers are generally not blamed for bugs in their software, and the process of reviewing their work is "uneven", according to Alan Paller, Sans director of research.
Mitre and Sans provide lists of the top 25 flaws regularly. Security firms use the flaws on that list to certify that programs they review are without any of the top 25 flaws.
It pointed to the attack on Sony Pictures as an example of an SQL-injection attack. It called SQL-injections the most dangerous flaw for web services, as it can allow outsiders to gain access to possible sensitive information or resources on servers.
The sixth most dangerous flaw it identified as "missing authorization," and pointed to the theft of records of credit card users from Citigroup in May. Identifying and fixing the flaws has a "low to medium cost", according to the report.
Complaints about flawed programming and architecture have gotten noisier in recent times. Programmers are generally not blamed for bugs in their software, and the process of reviewing their work is "uneven", according to Alan Paller, Sans director of research.
Mitre and Sans provide lists of the top 25 flaws regularly. Security firms use the flaws on that list to certify that programs they review are without any of the top 25 flaws.
Tags:
hacking
