ARN

More Than a List

Frankly Speaking
Page:

Oh, not again. Last week, the SANS Institute and Mitre released yet another list of the most serious programming errors that break software security. And this time, SANS and Mitre got dozens of other organizations to sign on, including Microsoft, Apple, Oracle, Tata, Symantec, the US Department of Homeland Security and the National Security Agency.

But no matter how good it is, a list won't solve this problem.

Yes, it's a fine list. It includes all our old favorites: overflowing buffers, unchecked input, random numbers that aren't really random, failure to block cross-site scripting and SQL injection. (You can find the complete list at www.sans.org/top25errors.)

Trouble is, we've seen lists like these before . Security groups have been issuing them for decades -- and nothing much has changed.

SANS and Mitre say this one is better, because this time they tapped dozens of other organizations to help compile the top 25 programming problems. Surely that will convince programmers to see the error of their ways and start coding securely, won't it?

No, it won't. Programmers who care about security don't need this new list. They already know about these problems and work to avoid them.

And programmers who don't care about security won't even notice the new list. They figure security is somebody else's job.

But this list isn't a complete waste. There's the germ of a new idea here -- and if we're really lucky, SANS and Mitre will make it a reality.

One of the goals for this new list is that big software buyers will be able to use it to improve software quality. For example, SANS says some state governments are already thinking about requiring software suppliers to certify in writing that their code is free of the errors on the list.

Self-certification? Yeah, good luck with that.

Page:

Come socialise with us! Facebook | LinkedIn

More about: Apple, Microsoft, National Security Agency, Oracle, SANS Institute, Symantec, Tata, The SANS Institute
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the ARN comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
ARN Directory | Distributors relevant to this article
Anyware Computer Accessories , Aquion , ASI Solutions , Australasian PC Distributors (APCD) , Bluechip Infotech , Brightpoint Australia , Compucon Computers , Dicker Data , Express Data , Express Online , Impact Systems Technology , Ingram Micro Australia , Leader Computers , Leading Pacific Australia , Lynx Technologies , NewLease , Simms International (For Simms International please see Express Online) , Synnex Australia , Topstar Computer International , Westan , XiT Distribution , Xpress I.T.
ARN Directory | Vendors relevant to this article
Symantec
rhs_login_lockGet exclusive access to ARN's news, research and invitation only events.
ARN Distributor Directory
Find distributors by name | vendor | location
Channel Deals
/deals/synnex/420_office-and-windows-couples-promotion
Synnex

Office and Windows Couples Promotion

More details »
ARN Vendor Directory
Find vendors by name | category

iAsset is a channel management ecosystem that automates all major aspects of the entire sales,marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.