It was 10 years ago this week that Tan from the L0pht wrote Cyberspace Underwriters Laboratories to describe a vision of third party testing and certification of computer hardware and software.

Tan's vision got one step closer this week when CWE and SANS issued the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors. Finally there is consensus about what the worst software security flaws are. This is an important step because minimum due care for a software producer can be defined as preventing the most dangerous programming errors from being delivered to their customers.

This is the approach forward thinking companies like Barclays are using with their software providers. Barclays uses Veracode's testing services to get 3rd party validation that their software providers aren't delivering code with dangerous programming errors included.

Will Pelgrin, CSO New York State, and Jim Routh, CISO of Depository Trust & Clearing Corporation, (another Veracode customer) this week have released Application Security Procurement Language. This is language that can be inserted into a software acquisition contract that requires the software provider to show that they used due care to remove the Top 25 dangerous programming errors.

Adam O'Donnell blogged on ZDNet that he sees the pieces falling into place to see Tan's vision realized too:

If software purchasers start demanding that software is delivered with a minimum of defects, various third-party firms will have to become involved to provide independent measurement of a product’s security profile. This is similar to the “Cyberspace Underwriter’s Lab” model discussed by the l0pht crew 10 years ago this week. In the absence of a single third party, look to product offerings like Veracode, Coverity, and Fortify as well as services from groups mentioned in the twitter improvement plan posted earlier this week. This combination of software metrics, purchasing requirements, and third party validation will eventually make the majority, but not all, of these issues a thing of the past.

Eradicating the Top 25 doesn't eliminate all software risk, but it will drastically reduce the number of vulnerabilities in our information systems. Let's all use our buying power to demand better from our software vendors, service providers, and outsourcers. We have the list and the testing capability to keep our them honest.
Underwriters Labratories is a trademark of Underwriters Labratories

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.