On CNET: The Holiday Tech Guide is here!
BNET Business Network:
BNET
TechRepublic
ZDNet

January 13th, 2009

Top 25 coding defects listed, surprising nobody with a clue

Posted by Adam O'Donnell @ 1:52 pm

Categories: Exploit code, Punditocracy, Tools, Vulnerability research

Tags: Software, Tools & Techniques, Management, Adam O'Donnell

The SANS institute has produced a list of the top 25 classes of programming flaws. The list won’t make the flaws go away, but it does provide software purchasers with a powerful tool for whacking irresponsible software vendors.

A consortium of government, industry, and academic software security expert has produced a list of the top 25 software development syndromes that lead to security vulnerabilities. If you have ever developed code that is used by more than a handful of people you have heard of the vast majority of the problems, including the infamous “Code Injection” attack, aka a buffer overflow.

The list will not likely make anyone a better programmer, but it does give organizations who are looking to purchase software a metric they can use to beat up on potential investors. If a high number of “Top 25″ weaknesses are found in the product, then a purchaser can either push down on the price or demand that the vendor repair the issues before the deal is completed. In other words, it allows the customer to use the power of the purse to demand improvements in software security, a heretofore requirement that had no metric with community consensus.

If software purchasers start demanding that software is delivered with a minimum of defects, various third-party firms will have to become involved to provide independent measurement of a product’s security profile. This is similar to the “Cyberspace Underwriter’s Lab” model discussed by the l0pht crew 10 years ago this week. In the absence of a single third party, look to product offerings like Veracode, Coverity, and Fortify as well as services from groups mentioned in the twitter improvement plan posted earlier this week.  This combination of software metrics, purchasing requirements, and third party validation will eventually make the majority, but not all, of these issues a thing of the past.

Adam O'DonnellAdam J. O'Donnell, Ph.D. is an R&D engineer who has focused on computer security since 2000. He currently is the Director of Emerging Technologies at Cloudmark, a messaging security company located in San Francisco. See his full profile and disclosure of his industry affiliations.

Email Adam O'Donnell

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 7 Talkback(s)
Security costs little and can reap a relative profit
I disagree that Security coasts money as a blanket statement. For those who have never bothered with security, maybe it does cost some manhours in training and attitude readjustment.
But Secu... (Read the rest)
Posted by: twaynesdomain Posted on: 01/15/09 You are currently: a Guest | | Terms of Use
A list . . .  CobraA1 | 01/13/09
Security costs money  nospam@... | 01/13/09
Insecurity costs money.  CobraA1 | 01/13/09
Agreed, although it is a case of risk management nt  T1Oracle | 01/14/09
Generally agree  AndyCee | 01/13/09
Security costs little and can reap a relative profit  twaynesdomain | 01/15/09
RE: Top 25 coding defects listed, surprising nobody with a clue  twaynesdomain | 01/15/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More