Officials in New York state plan to force software developers to deliver software with fewer coding errors under new procurement language proposed this week.
William Pelgrin, CISO of New York State
The procurement specifications use the CWE/SANS Top 25 Dangerous Programming Errors list, which outlines the most dangerous coding flaws and ways software developers can avoid them. The list was developed by more than 30 cybersecurity organizations and is being maintained by the SANS Institute, a security training and certification organization, and the MITRE Corporation, which also maintains the Common Weakness Enumeration, a formal list of software weaknesses.
"Contract language doesn't work unless there's a minimum standard of due care," Alan Paller, director of research at the SANS Institute said in a press briefing following the announcement of the new Top 25 Errors list. "The Top 25 Errors is the first step in defining that minimum standard."
The draft procurement language is posted on the SANS Institute website. The SANS organization recommends the language be used as a guide, while official contract language should be drafted using a qualified attorney.
Under the draft procurement standards, software makers that do business with New York State agencies must certify that they have rid their code of the Top 25 Errors. The language insists that vendors should conduct an analysis using the Top 25 list and document in writing that they have been mitigated.
William Pelgrin, CISO of New York state and principal editor of the consensus procurement standards for secure code, drafted the new language. He said the language is constantly evolving and that more organizations are improving it to fit their needs.
"This is being used not because application developers are doing a bad job, but [because] we need to ensure that they have the appropriate and necessary tools and expertise to make those applications have the basics of cybersecurity built-in, straight through the whole lifecycle," Pelgrin said in an interview with SearchSecurity.com.
Secure software coding:
Should static analysis be avoided during the software development process?: When the cost of addressing security issues increases as the software design lifecycle proceeds, see why expert Michael Cobb says that using static analysis early on can benefit your organization.
SANS: New exam program about more secure code: The SANS Institute has unveiled a skills assessment and certification exam program designed to test the secure coding skills of software programmers.
Software still plagued with security holes, researcher says: In this podcast, noted security researcher Greg Hoglund, who specializes in Windows rootkits and secure coding, explains why software is just as vulnerable today as it was in 1999.
Pelgrin said he is seeking comments from both the public and private sectors to improve the procurement guide language. Pelgrin also shared the information with other states to assist with both in-house software development and hiring an external development team.
"Human error is always going to be a factor," Pelgrin said. "We want to build in responsibility and accountability in the procurement process, and make sure that when we do find errors, remediation and mitigation can be done as soon as possible."
The Top 25 Errors list is organized into three categories: insecure interaction between components, risky resource management and porous defenses. Some of the errors listed include improper input validation and improper output encoding issues, SQL query structure problems, and other errors that could cause data leakage and theft.
The list also has links to the full CWE entry data, data fields for weakness prevalence and consequences, and the attack frequency against each vulnerability. Remediation cost and ease of detection will also be referenced in the list.
Some experts say that requiring development teams to place more emphasis on software security could drive up contract costs and lengthen project timetables. Pelgrin dismisses those fears, saying that development firms should embrace secure coding to make them more attractive.
"If I was a developer, I would be hanging out my shingle that I use the Top 25," Pelgrin said. "I think that the marketplace will embrace this. It has to be something that is not only positive, but something that is promoted."
While Pelgrin is among dozens of other security experts praising the Top 25 Errors list, other experts say the list overlaps with other programming error lists, such as the Open Web Application Security Project (OWASP) Top Ten. While lists are interesting, they have had a minimal impact on the software market. But Pelgrin remains enthusiastic.
"I'm not going around saying you can do this and go home now," Pelgrin said. "You have to start somewhere."