By William Jackson
Jan 19, 2009
The release earlier this month of a consensus list of the most serious
programming errors to be avoided has garnered quite a bit of attention,
some of it predictably negative. Bloggers who are amusing themselves by
dissing the effort seem to be missing the forest for the trees. They
dismiss the list because it is not an absolute and perfect solution to
software security, and ignore the benefits it might provide.
Development of the list, available online, was managed by the Sans
Institute and Mitre Corp. with support from the National Security Agency
and the Homeland Security Department's National Cyber Security Division.
It represents a consensus of the most significant errors on which the IT
community should concentrate. The idea is that an industrywide
consensus, culled from the more than 700 errors detailed in the Common
Weakness Enumeration database, can be used to standardize requirements
for software procurements, to prioritize remediation of legacy
applications and to help educate coders.
The detractors are unhappy essentially because no Top-N list is
all-inclusive. The whole idea of these lists is that some things get
left out, and that upsets some people.
"Security is a big deal, it's not a list," says Gwyn Fisher, chief
technology officer of Klockwork in his Klocktalk blog. Yes, security is
a big deal. But Fisher makes a big assumption in declaring that "what's
outside that list is just as important as what made the cut." The
compilers of the most recent list, which represents a broad range of the
people in the IT community, apparently disagree. They decided that what
is inside the list is more important.
Are they right? That is open to argument. But to summarily dismiss the
effort simply because the list included some elements and excluded
others is unfair. That's the nature of a list.
Please help InfoSecNews.org with a donation!