Computerworld - A coalition of security experts from more than 30 organizations is urging enterprises to exert more pressure on software vendors to ensure that they use secure code development practices.
The group, led by the SANS Institute and Mitre Corp., offered enterprises recent hacks of Google draft contract language that would require vendors to adhere to a strict set of security standards for software development. In essence, the terms would make vendors liable for software defects that lead to security breaches.
"Nearly every attack is enabled by [programming] mistakes that provide a handhold for attackers," said Alan Paller, director of research at SANS, a security training and certification group.
"The only way programming errors can be eradicated is by making software development organizations legally liable for the errors," he said.
SANS and Mitre, a Bedford, Mass.-based government contractor, also released their second annual list of the top 25 security errors made by programmers. The authors said those errors have been at the root of almost every major type of cyberattack, including the recent hacks of Google and numerous utilities and government agencies.
According to the list, the most common mistakes continue to involve SQL injection errors, cross-site scripting flaws and buffer overflow vulnerabilities. All three have been well-known problems for years.
This version of this story was originally published in Computerworld's print edition. It's an edited version of an article that first ran on Computerworld.com.
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
