Tan's vision got one step closer this week when CWE and SANS issued the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors. Finally there is consensus about what the worst software security flaws are. This is an important step because minimum due care for a software producer can be defined as preventing the most dangerous programming errors from being delivered to their customers.
This is the approach forward thinking companies like Barclays are using with their software providers. Barclays uses Veracode's testing services to get 3rd party validation that their software providers aren't delivering code with dangerous programming errors included.
Will Pelgrin, CSO New York State, and Jim Routh, CISO of Depository Trust & Clearing Corporation, (another Veracode customer) this week have released Application Security Procurement Language. This is language that can be inserted into a software acquisition contract that requires the software provider to show that they used due care to remove the Top 25 dangerous programming errors.
Adam O'Donnell blogged on ZDNet that he sees the pieces falling into place to see Tan's vision realized too:
If software purchasers start demanding that software is delivered with a minimum of defects, various third-party firms will have to become involved to provide independent measurement of a product’s security profile. This is similar to the “Cyberspace Underwriter’s Lab” model discussed by the l0pht crew 10 years ago this week. In the absence of a single third party, look to product offerings like Veracode, Coverity, and Fortify as well as services from groups mentioned in the twitter improvement plan posted earlier this week. This combination of software metrics, purchasing requirements, and third party validation will eventually make the majority, but not all, of these issues a thing of the past.
Eradicating the Top 25 doesn't eliminate all software risk, but it will drastically reduce the number of vulnerabilities in our information systems. Let's all use our buying power to demand better from our software vendors, service providers, and outsourcers. We have the list and the testing capability to keep our them honest.
Underwriters Labratories is a trademark of Underwriters Labratories