A monumental breakthrough in the war against cyber crime occurred on Monday. The Sans Institute and Mitre announced the Top 25 programming flaws most attacked by cyber gangs.
For now, let’s savor the moment. Hopefully, the collaborative consensus among a diverse collection of 37 organizations — including Microsoft, Oracle, EMC, Apple, the NSA, DHS and an amalgam of tech security firms — that produced the Top 25 flaws will emerge as a model. It is an example of the type of for-the-greater-good, public-private collaboration needed to stem cybercrime.
It is nothing short of remarkable, given the intensely competitive tech industry. As such it can and should be viewed as a light at the end of the tunnel. It’s remarkable that this diverse group of companies, colleges and agencies was able to reach a consensus in just 12 weeks, pinpointing the top 25 coding errors that lead to 85% of the criminal activity on the Internet.
The next step will also be a great leap: governments and the corporate sector must uniformly demand software free of these Top 25 flaws. The Department of Defense will lead the way in accepting only software tested and certified against the Top 25 flaws. The Pentagon is already getting a boost from New York State CSO Will Pelgrin who just posted new procurement specifications for software purchased by his state; and several other states are considering instituting similar policies, says SANS research director Alan Paller.
Having a list of Top 25 flaws under attack by cyber crooks provides “a great resource to help software developers identify which security vulnerabillites are the most important to understand, prevent and fix,” says Michael Howard, Microsoft’s principal security program manager.
And Konrad Vesey, a member of NSA’s Information Assurance Directorate, says: “The publication of a list of programming errors that enable cyber espionage and cyber crime represents an important turn in software security awareness from a system administrator centered view (detect/respond/patch) to a software engineering centered view (design/implement/verify).”
Or as Paul Kurtz, executive director of the Software Assurance Forum for Excellence in Code, puts it: “Now we can spend less time working with police after the house has been robbed and instead focus on getting locks on the doors before it happens.”
Paller says a big liability shift is underway. “From now on, people who buy software will be able to have the vendors certify that none of these
25 errors are in the code,” says Paller. “This will shift the liability for non-secure software from the buyer to the seller.”
The faster these positive effects take hold the better.