Hold Vendors Liable for Buggy Software

A coalition of security experts from more than 30 organizations is urging enterprises to exert more pressure on software vendors to ensure that they use secure code development practices.

The group, led by the SANS Institute and Mitre Corp., offered enterprises recent hacks of Google draft contract language that would require vendors to adhere to a strict set of security standards for software development. In essence, the terms would make vendors liable for software defects that lead to security breaches.

"Nearly every attack is enabled by [programming] mistakes that provide a handhold for attackers," said Alan Paller, director of research at SANS, a security training and certification group.

"The only way programming errors can be eradicated is by making software development organizations legally liable for the errors," he said.

SANS and Mitre, a Bedford, Mass.-based government contractor, also released their second annual list of the top 25 security errors made by programmers. The authors said those errors have been at the root of almost every major type of cyberattack, including the recent hacks of Google and numerous utilities and government agencies.

According to the list, the most common mistakes continue to involve SQL injection errors, cross-site scripting flaws and buffer overflow vulnerabilities. All three have been well-known problems for years.

This version of this story was originally published in Computerworld's print edition. It's an edited version of an article that first ran on Computerworld.com.

6 tips for scaling up team collaboration tools
  
Shop Tech Products at Amazon