Top 25 coding defects listed, surprising nobody with a clue

The SANS institute has produced a list of the top 25 classes of programming flaws. The list won't make the flaws go away, but it does provide software purchasers with a powerful tool for whacking irresponsible software vendors. A consortium of government, industry, and academic software security expert has produced a list of the top 25 software development syndromes that lead to security vulnerabilities. If you have ever developed code that is used by more than a handful of people you have heard of the vast majority of the problems, including the infamous "Code Injection" attack, aka a buffer overflow.

The list will not likely make anyone a better programmer, but it does give organizations who are looking to purchase software a metric they can use to beat up on potential investors. If a high number of "Top 25" weaknesses are found in the product, then a purchaser can either push down on the price or demand that the vendor repair the issues before the deal is completed. In other words, it allows the customer to use the power of the purse to demand improvements in software security, a heretofore requirement that had no metric with community consensus.

If software purchasers start demanding that software is delivered with a minimum of defects, various third-party firms will have to become involved to provide independent measurement of a product's security profile. This is similar to the "Cyberspace Underwriter's Lab" model discussed by the l0pht crew 10 years ago this week. In the absence of a single third party, look to product offerings like Veracode, Coverity, and Fortify as well as services from groups mentioned in the twitter improvement plan posted earlier this week.  This combination of software metrics, purchasing requirements, and third party validation will eventually make the majority, but not all, of these issues a thing of the past.