Security Experts: Developers Responsible for Programming Problems
A group of security luminaries lead by SANS Institute and MITRE are calling for software developers and vendors to shoulder the burden when it comes to programming mistakes in their products
By Joan Goodchild , Senior Editor
February 16, 2010 — CSO —
The burden of responsibility for programming errors should be on the shoulders of the vendors who create them, not on the buyer, according to a group of security experts who have banded together to identify common programming mistakes. For the second year in a row, the group of experts from more than 30 U.S. and international cyber security organizations have released a list of the 25 most dangerous programming errors that enable security bugs, cyber espionage and cyber crime (See last year's list in Security Experts ID Top 25 Programming Errors).
"These 25 programming errors, and their "on the cusp cousins" have been the cause of nearly every major type of cyber attack, including recent penetrations of Google, power systems, military systems, and millions of other attacks on small businesses and home users," officials said in a statement on the findings. "A global effort to eliminate these programming errors is the first step against organized cyber criminals, and the persistent threat from competing nation states."
The Top 25 effort was managed by MITRE and the SANS Institute, but the impetus for the project came from the National Security Agency and it received financial support from the U.S. Department of Homeland Security's National Cyber Security Division. In addition to identifying the errors, the group agreed on a standard for contract language between software buyers and developers. The hope is that use of this contract language will ensure buyers are not held liable for software containing faulty code. Coding errors are a common gateway for attackers to penetrate networks, said officials with the project (Read about a certification from ISC2 that targets secure software development practices and expertise)
"Nearly every attack is enabled by mistakes programmers make that provide a handhold for attackers," said Alan Paller, Director of Research, SANS Institute. "The only way programming errors can be eradicated is by making software development organizations legally liable for the errors. And that can only be done if there is a safe harbor."
Paller said Tuesday's announcement serves as what the group hopes to be the foundation for that so-called 'safe harbor' and that software vendors will in the future be held liable for their errors because the list now creates a definitive minimum standard of due care.
"There appears to be broad agreement on the programming errors," said SANS Director, Mason Brown. "Now it is time for buyers to say 'we are mad as h*ll, and we are not going to buy software unless you get rid of these errors before you deliver it to us.'
Read more about data protection in CSOonline's Data Protection section.
Other stories by Joan Goodchild