One big step toward a safer Internet
A monumental breakthrough in the war against cyber crime occurred on Monday. The Sans Institute and Mitre announced the Top 25 programming flaws most attacked by cyber gangs.
For now, let’s savor the moment. Hopefully, the collaborative consensus among a diverse collection of 37 organizations — including Microsoft, Oracle, EMC, Apple, the NSA, DHS and an amalgam of tech security firms — that produced the Top 25 flaws will emerge as a model. It is an example of the type of for-the-greater-good, public-private collaboration needed to stem cybercrime.
It is nothing short of remarkable, given the intensely competitive tech industry. As such it can and should be viewed as a light at the end of the tunnel. It’s remarkable that this diverse group of companies, colleges and agencies was able to reach a consensus in just 12 weeks, pinpointing the top 25 coding errors that lead to 85% of the criminal activity on the Internet.
The next step will also be a great leap: governments and the corporate sector must uniformly demand software free of these Top 25 flaws. The Department of Defense will lead the way in accepting only software tested and certified against the Top 25 flaws. The Pentagon is already getting a boost from New York State CSO Will Pelgrin who just posted new procurement specifications for software purchased by his state; and several other states are considering instituting similar policies, says SANS research director Alan Paller.
Having a list of Top 25 flaws under attack by cyber crooks provides “a great resource to help software developers identify which security vulnerabillites are the most important to understand, prevent and fix,” says Michael Howard, Microsoft’s principal security program manager.
Howard
And Konrad Vesey, a member of NSA’s Information Assurance Directorate, says: “The publication of a list of programming errors that enable cyber espionage and cyber crime represents an important turn in software security awareness from a system administrator centered view (detect/respond/patch) to a software engineering centered view (design/implement/verify).”
Or as Paul Kurtz, executive director of the Software Assurance Forum for Excellence in Code, puts it: “Now we can spend less time working with police after the house has been robbed and instead focus on getting locks on the doors before it happens.”
Paller says a big liability shift is underway. “From now on, people who buy software will be able to have the vendors certify that none of these
25 errors are in the code,” says Paller. “This will shift the liability for non-secure software from the buyer to the seller.”
The faster these positive effects take hold the better.
–Byron Acohido
January 13th, 2009 at 4:53 pm
Over the last few months I have worked with a group of software security experts to develop the CWE/SANS Top 25 Most Dangerous Programming Errors. Working on this project has got me thinking about a key point that we make in Secure Programming with Static Analysis: Most of the people who build software are focused on things other than security (writing code, running test cases, deploying applications, and so on). These people are making security-critical decisions on a daily basis, but they can’t afford to become security experts–they’ve got other things to worry about.
January 13th, 2009 at 7:16 pm
Agreed. To put it another way, the history of software development since the PC entered our lives in the mid 1980s has revolved around features and functionality. This is really all about drawing a line in the sand and saying from now on, hopefully, software developers will take what we’ve learned about profit-motivated attacks in the past five years, and factor that into how we create software applications and train the next generation of developers. If that happens the Internet will steadily get safer over time