New York drafts language demanding secure code

By Robert Westervelt, News Editor 14 Jan 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Officials in New York state plan to force software developers to deliver software with fewer coding errors under new procurement language proposed this week.

We want to build in responsibility and accountability in the procurement process, and make sure that when we do find errors, remediation and mitigation can be done as soon as possible. William Pelgrin, CISO of New York state

The procurement specifications use the CWE/SANS Top 25 Dangerous Programming Errors list, which outlines the most dangerous coding flaws and ways software developers can avoid them. The list was developed by more than 30 cybersecurity organizations and is being maintained by the SANS Institute, a security training and certification organization, and the MITRE Corporation, which also maintains the Common Weakness Enumeration, a formal list of software weaknesses.

"Contract language doesn't work unless there's a minimum standard of due care," Alan Paller, director of research at the SANS Institute said in a press briefing following the announcement of the new Top 25 Errors list. "The Top 25 Errors is the first step in defining that minimum standard."

The draft procurement language is posted on the SANS Institute website. The SANS organization recommends the language be used as a guide, while official contract language should be drafted using a qualified attorney.

Under the draft procurement standards, software makers that do business with New York State agencies must certify that they have rid their code of the Top 25 Errors. The language insists that vendors should conduct an analysis using the Top 25 list and document in writing that they have been mitigated.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

William Pelgrin, CISO of New York state and principal editor of the consensus procurement standards for secure code, drafted the new language. He said the language is constantly evolving and that more organizations are improving it to fit their needs.

"This is being used not because application developers are doing a bad job, but [because] we need to ensure that they have the appropriate and necessary tools and expertise to make those applications have the basics of cybersecurity built-in, straight through the whole lifecycle," Pelgrin said in an interview with SearchSecurity.com.

Secure software coding: Security experts identify 25 dangerous coding errors: A new list of common programming errors could give non-experts the ability to demand higher coding standards. Should static analysis be avoided during the software development process?: When the cost of addressing security issues increases as the software design lifecycle proceeds, see why expert Michael Cobb says that using static analysis early on can benefit your organization. SANS: New exam program about more secure code: The SANS Institute has unveiled a skills assessment and certification exam program designed to test the secure coding skills of software programmers. Software still plagued with security holes, researcher says: In this podcast, noted security researcher Greg Hoglund, who specializes in Windows rootkits and secure coding, explains why software is just as vulnerable today as it was in 1999.

Pelgrin said he is seeking comments from both the public and private sectors to improve the procurement guide language. Pelgrin also shared the information with other states to assist with both in-house software development and hiring an external development team.

"Human error is always going to be a factor," Pelgrin said. "We want to build in responsibility and accountability in the procurement process, and make sure that when we do find errors, remediation and mitigation can be done as soon as possible."

The Top 25 Errors list is organized into three categories: insecure interaction between components, risky resource management and porous defenses. Some of the errors listed include improper input validation and improper output encoding issues, SQL query structure problems, and other errors that could cause data leakage and theft.

The list also has links to the full CWE entry data, data fields for weakness prevalence and consequences, and the attack frequency against each vulnerability. Remediation cost and ease of detection will also be referenced in the list.

Some experts say that requiring development teams to place more emphasis on software security could drive up contract costs and lengthen project timetables. Pelgrin dismisses those fears, saying that development firms should embrace secure coding to make them more attractive.

SearchSecurity radio:

"If I was a developer, I would be hanging out my shingle that I use the Top 25," Pelgrin said. "I think that the marketplace will embrace this. It has to be something that is not only positive, but something that is promoted."

While Pelgrin is among dozens of other security experts praising the Top 25 Errors list, other experts say the list overlaps with other programming error lists, such as the Open Web Application Security Project (OWASP) Top Ten. While lists are interesting, they have had a minimal impact on the software market. But Pelgrin remains enthusiastic.

"I'm not going around saying you can do this and go home now," Pelgrin said. "You have to start somewhere."

Tags: Software Development Methodology,  Vulnerability Risk Assessment,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology Microsoft extends SDL program, adds Agile development template Malware in Google attacks uses spaghetti code Self-defending Web applications thwart attacks Information security book excerpts and reviews Software piracy group offers cash to whistleblowers Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Should security tests be part of a software quality assurance program? Does an EULA make it truly illegal to decompile software? Vulnerability Risk Assessment Disaster recovery plans and DLP solutions top 2010 priorities Information security book excerpts and reviews What patch management metrics does Project Quant use? Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? Vulnerability Risk Assessment Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary