A giant step for business security

Share this article:
Illena Armstrong, editor-in-chief, SC Magazine
Illena Armstrong, editor-in-chief, SC Magazine

Right before going to press for this edition of SC Magazine, SANS' Alan Paller alerted me to an impending industry announcement that, he said, would be “of interest to business people – not just techies” and “change the way organizations buy software, right away.”

Now, while the last point will need time to be proven, the first seems accurate enough. Jointly made by over 30 cybersecurity organizations, the announcement centered on the release of the first consensus list of the 25 most important programming errors that lead to security bugs, which often enable various types of cybercrime. The release offers in-depth guidance on how to fix these holes.

A couple of things made this different from previous lists. First was the breadth of involvement from experts at various private, public and educational institutions from around the globe. Second was the push for its creation by the NSA, and financial support coming from DHS's National Cyber Security Division.

But perhaps, most importantly, this list moves beyond the vulnerabilities that result from programming errors to the actual mistakes that developers make that create the holes in the first place. And this means that this consensus list, which saw the participation from so many industry experts in its creation, and its associated and regularly updated websites (www.sans.org/top25 and cwe.mitre.org/top25) offer details on how to mitigate against these all too common, but often lethal mistakes. 

According to experts behind the release of this list, these highly misunderstood errors made by programmers can have a huge impact on a company's ability to stay up and running. “Just two of them led to more than 1.5 million website security breaches during 2008 – and those breaches cascaded onto the computers of people who visited those websites, turning their computers into zombies,” the press release noted.

During a press conference right after the announcement, an NSA spokesperson said that the shared creation and release of such critical programming errors and the detailed fixes for them will prompt a huge change in the way organizations tackle security. And if that means safer computing environments that see more programmers better understanding how to integrate security into the software they're building, then it's a big step in the
right direction.

Illena Armstrong is editor-in-chief of SC Magazine.

Share this article:

Next Article in Opinions

Sign up to our newsletters

More in Opinions

Unfair competition: Proactive preemption can save you from litigation

Unfair competition: Proactive preemption can save you ...

With each job change, the risk that the new hire will bring confidential information or trade secrets with him or her to the new company grows.

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.