DHS updates software critical errors list

Legal Tech News: DHS Updates Its Most Dangerous Software Errors

In late November 2019, the Department of Homeland Security released an update to their most dangerous software errors list. The official name of the report is the Common Weakness Enumeration (CWE) and it lists the 25 most dangerous software errors. This is the first update issued to the report in eight years. These aren’t minor errors. These are critical errors. A critical error is a defect that affects the critical functionality of the software or its critical data. There is no way to get around it. It is the most dangerous type of error or defect that exists in software. You can find the full report here. We’re providing a quick synopsis for you of some of the top five most dangerous software errors as we believe that everyone involved in legal tech should be aware of them.

Related: Back to Basics: Email Security Best Practices for Law Firms

Most Dangerous: Improper Restriction of Operations Involving the Bounds of a Memory Buffer

Because we’re talking about critical errors, we’re starting our synopsis with the most dangerous software error listed in the CWE report: improper restriction of operations within the bounds of a memory buffer. This is defined as software performing operations on a memory buffer. However, it can read from or write to a location that is outside of the memory buffer. The potential danger lies in an attacker possibly using an arbitrary code, be able to change the control flow, be able to access sensitive data, or cause the entire system to crash. The most common software languages in which this error occurs is in C and C++. There is a high likelihood of exploitation.

You may view demonstrative examples involving the IP address of a user by visiting the CWE’s page dedicated to this dangerous errorv.

Improper Neutralization of Input During Web Page Generation

The second most dangerous software error is the improper neutralization of input during web page generation. The software either does not neutralize or incorrectly neutralizes user-controlled input before that input becomes output to a web page that is used by others. Common causes include:

  • Untrusted data entering a web application;
  • A web application that dynamically generates a web page with untrusted data;
  • When the page is generated, the application doesn’t stop the data from containing code that a web browser can execute;
  • Someone visits the generated web page through their web browser and is exposed to the malicious code;
  • The browser executes the malicious script.

According to the CWE, this dangerous software error is language independent. The potential dangers include the ability for bypass data protection mechanisms, the ability to execute unauthorized code or commands, and the ability to read application data. There is a high likelihood of exploit. The CWE page devoted to this error provides example language.

Improper Input Validation

The third most dangerous software error on the CWE update is improper input validation. This occurs when the software does not validate or if it incorrectly validates input that has the potential to affect the control flow or the data flow of the program. Essentially, when the software doesn’t properly validate input, an attacker can create input through a form that isn’t expected by the application. This can cause parts of the system to receive unintended input which alters the flow or code execution.

The potential dangers include DoS crash, exit, or restart; DoS consumption of the CPU or memory; accessing memory or read files or directories; the ability to modify memory; and the ability to execute unauthorized code or commands. The CWE rates the likelihood of exploitation as high. You can see demonstrative examples involving a shopper interaction by visiting the CWE’s dedicated page to this error.

Information Exposure

The fourth most dangerous on the CWE’s list is information exposure. This is the intentional or unintentional disclosure of information to someone not explicitly authorized to access that information. The information may be considered sensitive, such as private message, or it could provide information about the product or its environment that could be useful for an attack although that information usually isn’t available to the attacker. Although this could appear across many languages, it also seems to appear most frequently in mobile applications.

The potential danger is the ability for an unauthorized individual to access sensitive information. The CWE reports that there is a highly likelihood of exploit. You can find a demonstrative examples for both Perl and Java by visiting the CWE’s dedicated page to this error.

Out-of-Bounds Read

An out-of-bounds read is a dangerous error, ranked number five on the CWE’s list, that involves the software reading past the end or before the start of the intended bounds. This could allow an attacker to read sensitive information from memory locations or it could cause a crash. The most affected languages of this error include C and C++.

The potential dangers include the ability for an attacker to access information or to bypass implemented data protections. You can find demonstrative examples of this error in C by visiting the CWE’s dedicated page to this error.

Mitigation Your Risk in Legal Tech

If you’re worried about any of the top five dangers above or any of the 20 we did not discuss, you’ll be pleased to know that the CWE also provides ways that you can mitigate your risk to hopefully protect your code and your data! To find the mitigation suggestions, first visit the main page for the report. Then, find the error you’re concerned with and click the link to its page. Finally, scroll toward the end of the page for the section entitled “Potential Mitigations.”

Leave a Reply

Your email address will not be published. Required fields are marked *