Oh, not again. Last week, the SANS Institute and Mitre released yet another list of the most serious programming errors that break software security. And this time, SANS and Mitre got dozens of other organizations to sign on, including Microsoft, Apple, Oracle, Tata, Symantec, the US Department of Homeland Security and the National Security Agency.
But no matter how good it is, a list won't solve this problem.
Yes, it's a fine list. It includes all our old favorites: overflowing buffers, unchecked input, random numbers that aren't really random, failure to block cross-site scripting and SQL injection. (You can find the complete list at www.sans.org/top25errors.)
Trouble is, we've seen lists like these before . Security groups have been issuing them for decades -- and nothing much has changed.
SANS and Mitre say this one is better, because this time they tapped dozens of other organizations to help compile the top 25 programming problems. Surely that will convince programmers to see the error of their ways and start coding securely, won't it?
No, it won't. Programmers who care about security don't need this new list. They already know about these problems and work to avoid them.
And programmers who don't care about security won't even notice the new list. They figure security is somebody else's job.
But this list isn't a complete waste. There's the germ of a new idea here -- and if we're really lucky, SANS and Mitre will make it a reality.
One of the goals for this new list is that big software buyers will be able to use it to improve software quality. For example, SANS says some state governments are already thinking about requiring software suppliers to certify in writing that their code is free of the errors on the list.
Self-certification? Yeah, good luck with that.