A recently released list of the top 10 software security flaws from the Open Web Application Security Project (OWASP) listed injection as the No. 1 problem, prompting BYTE, Dark Reading and Network Computing Editorial Director Larry Seltzer to note in a blog post that preventing SQL injections should be the top concern for organizations looking to maximize their security budget. As opposed to focusing on threats such as mobile attacks that, for many organizations, remain largely theoretical, it makes sense to devote software security efforts to the most prevalent vulnerabilities.
A counterpoint from Dark Reading contributor Vincent Liu suggested that security should be handled on a more organization-specific basis. Using the example of patch management, Liu pointed out that software or functions that may be the most mission critical in some enterprises might have only a limited role in others. Just as an organization might not want to prioritize patching the computer that runs a welcome video in its lobby over updating the systems that handle core financial data, certain flaws may pose a greater risk depending on context.
What is the No. 1 flaw?
Liu pointed out Seltzer's decision to name SQL injections as the top software security priority assumed that a list developed by one industry group of only web application errors provided a complete view of risks. Additionally, he suggested that focusing on one issue is not a good practice.
"Your best bet for defending your organization is to apply the unique knowledge you have about how it is set up and the environment in which it runs," Liu wrote. "When you only prepare for threats coming in one way, you're setting yourself up to be hit by an attack coming in from another."
One issue, for instance, is that while SQL injections might top one group's list of errors, the most common vulnerability type can vary by application. A recent report from Sourcefire found that buffer overflows were the top reported vulnerability of the past 25 years for all types of software. For many organizations, this might be a more important flaw to target.
Minimizing preventable errors
While the best approach to security would be a holistic one that includes thorough source code analysis to catch all errors, Seltzer's argument was more specifically that organizations should focus on preventing errors with in-the-wild exploits and known mitigation techniques. While mobile security is a hot topic, for instance, preventing mobile attacks may require anticipating threats that don't exist yet. However, SQL injections stem from a preventable error that can be addressed with a simple check.
"The amazing thing about SQL injection is that not only is it the most damaging of vulnerabilities, but we know a way to end it: parameterized queries," Seltzer wrote.
Liu agreed with the general conclusion that buying into the newest, most hyped, high profile threats could be an easy way to overlook easily preventable errors that may be more directly relevant to an individual business.
"The fact of the matter is that the 'latest threats' are rarely the ones companies should be most concerned about," he wrote. "The biggest risks facing companies are the ones they already know about and for which solutions already exist."
By using methods such as static analysis, companies can catch familiar errors and educate developers to avoid these mistakes in the future. At the same time, tools such as source code analysis can help programmers identify errors they may be entirely unfamiliar with and head off potential routes for attack. The relatively low cost of such programs also enables companies to build software security into development without having to prioritize spending around a single issue.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.