Software Vulnerabilities: The Fed's Most Wanted

On Oct. 2, the General Services Administration released a list from The SANS Institute and FBI of the top 20 Internet security vulnerabilities

Software Quality On Oct. 2, the General Services Administration released a list from The SANS Institute and FBI of the top 20 Internet security vulnerabilities to the public at a gathering of government CIOs and IT professionals in Washington, D.C. As in the past, this year's SANS/FBI top 20 list sounded warnings about Microsoft's Internet Information Server (IIS) and Internet Explorer Web browser.

For users of the Unix or Linux operating systems, vulnerabilities in the Apache Web server were listed as well as holes in commonly used tools and protocols such as SSH (secure shell), SNMP (simple network management protocol) and FTP (file transfer protocol).

The government is pushing free and premium services offered by vulnerability scanning companies to help organizations identify the vulnerabilities on their networks.

"You can't implement a program like this without tools," says Alan Paller, research director at The SANS Institute. "How do you find the machines with the problems? You would have to manually scan every machine."

In prior years, Paller says, SANS offered only the list or offered free detection tools that were not commonly used.

"The breakthrough this year is that you can use the tools you already have," says Paller, who notes that 90 percent of the scanning market is covered by Internet Security Systems and the Nessus Organization.

While the hand-in-glove nature of the scanning industry's relationship to the SANS/FBI top 20 list might cause some to wonder whether the list is serving the public as much as the bottom line of the major security vendors, Paller says that the cooperation of such companies is absolutely vital in the job of assembling an accurate list for companies to use.-Paul Roberts

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!