In a recent announcement, the US government unveiled a new system of guidance available to businesses, whereby this system would assist businesses in evaluating the software behind the websites, power grids and other services of those businesses — so that by doing so, that software would be less susceptible to hacking.
“Currently, when owners of small businesses buy software or hire a firm to build a website, it is difficult to know whether the programs are really secure or not”, said Alan Paller, director of research at SANS Institute, a computer-security organization.
“Avoiding programming errors is crucial in fending off today’s cyber terrorists”, said Paller. “This is the only way to get around ‘zero days’,” referring to attacks that make use of software vulnerabilities that are unknown and, therefore, cannot be fixed quickly with patches. The only possible defense is to stop the error from being in the software in the first place.”
Paller said, “… the information, which has been compiled on a special website that the public can view, will tell people what to look for in setting up a secure website and how to judge potential programming errors. It also sets up a scorecard, so that companies looking for a firm to set up a website can check their security score.”
In summary and in essence, this effort is aimed at the more than 1 million computer programmers and other high-tech professionals, who write code, build websites and develop software. It lays out known software weaknesses and how to fix them.
The effort has been in development for three years, according to Robert A. Martin, principal engineer at Mitre, a technology nonprofit organization that conducts federal research in systems engineering, and was behind the development of that program.
The name of the website developed under this program is titled Common Weakness Enumeration (CWE™) – and, as stated before, is targeted at both the development community and the community of security practitioners.
The CWE™ site comprises a formal list or dictionary of common software weaknesses that can occur in software’s architecture, design, code or implementation that can lead to exploitable security vulnerabilities. CWE™ was created to serve as a common language for describing software security weaknesses; serve as a standard measuring stick for software security tools targeting these weaknesses; and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts.
Bottom line is that the Deptartment of Homeland Security (DHS) hopes that the program will make it easier for companies and agencies to better secure their networks and contribute to building a safer global network.
If applicable, please pass this information along to the members of your organization’s IT department as well as to other risk management and disaster preparedness team members also in your organization.
Click here to visit the CWE™ website, and, please share with our readers, your experiences and perception of value received from your visit to and use of this webite.