- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Network World - Will the Top 25 worst software errors list released Monday be able to rescue customers from rotten software?
That's the palpable hope from some security managers who have backed the government and industry effort to identify the worst programming mistakes that lead to patch-management headaches and even cybercrime and cyber espionage.
With the Top 25 list — which sprang from an effort that began with the Department of Homeland Security seeking to pinpoint which software weaknesses lead to security breaches--there's optimism that software buyers will be able to use this common set of definitions to ask that software vendors fix their mistakes without major legal or financial fuss.
The Top 25 programming errors
This list of techie goof-ups starts with "Improper Input Validation" and ends with "Client-Side Enforcement of Server-Side Security." Vendors may simply ignore the list to brush off concerns and evade responsibility, it's pointed out. But some, including New York State, are expected to lead the way in making the Top 25 a big topic of discussion during the software-acquisition process.
"What keeps me up at night? Application vulnerabilities," says Will Pelgrin, CISO for the State of New York, and director of the New York State office of cybersecurity and critical infrastructure. Vulnerabilities laid out so neatly in the Top 25 list are "increasingly the vector for attacks," he notes.
Pelgrin strongly supports the effort behind the list, which was pulled together with both industry and government input by MITRE Corp. in its "Common Weakness Enumeration" project.
The list was culled from about 700 fundamental software issues MITRE identified over three years. The basic idea for the project is said to have started with the U.S. government's National Security Agency (NSA).