Posted by: Stephen Wildstrom on January 12, 2009
Computer security experts have warned for years that the endless cycle of software flaws and exploits will only be broken when we create incentives for software authors and publishers to get it right. On Jan. 12, the industry took a potentially important step toward that goal when a broad coalition of companies, government agencies, academics, and advocacy groups launched a program to assure than software is free of 25 common errors that lead to the bulk of security problems.
The key to making the program effective is that it goes well beyond recommending best practices. Software buyers, particularly governments and large corporations are being urged to demand that vendors certify that code they sell is free of these 25 errors, and there’s nothing like potential legal liability to get a company’s attention. In addition, colleges are pledging to train students in writing software and employers can use the guidelines to assess the skills of the programmers they hire.
In one sense the list of the Top 25 errors this program is designed to fight is a little sad, because the problems are the same ones that have created security liabilities for decades. The first known Internet worm, created by then Cornell graduate student (and now MIT professor) Robert Tappan Morris in 1988, exploited a weakness known as a buffer overflow, a way to get a computer to execute code disguised as data. Two decades later, buffer overflows and other closely related errors continue to be major security problems and have earned a prominent place on the Top 25. Other common security problems addressed on the list, Web site design problems that allow hidden code on a seemingly benign pages to invisibly redirect you to a malicious site, improper use of encryption that can lead to the loss of critical data, and good old-fashioned calculation errors that can wreak havoc on results.
One encouraging thing about the Top 25 is that such organizations as Microsoft, Apple, and Oracle are aboard, a lonmg with a lengthy list of security vendors. Still, the effort is not going to lead to much unless buyers, especially governments with their massive clout, get serious about buying only security-certified software.