A giant step for business security

Share this article:
Illena Armstrong, editor-in-chief, SC Magazine
Illena Armstrong, editor-in-chief, SC Magazine

Right before going to press for this edition of SC Magazine, SANS' Alan Paller alerted me to an impending industry announcement that, he said, would be “of interest to business people – not just techies” and “change the way organizations buy software, right away.”

Now, while the last point will need time to be proven, the first seems accurate enough. Jointly made by over 30 cybersecurity organizations, the announcement centered on the release of the first consensus list of the 25 most important programming errors that lead to security bugs, which often enable various types of cybercrime. The release offers in-depth guidance on how to fix these holes.

A couple of things made this different from previous lists. First was the breadth of involvement from experts at various private, public and educational institutions from around the globe. Second was the push for its creation by the NSA, and financial support coming from DHS's National Cyber Security Division.

But perhaps, most importantly, this list moves beyond the vulnerabilities that result from programming errors to the actual mistakes that developers make that create the holes in the first place. And this means that this consensus list, which saw the participation from so many industry experts in its creation, and its associated and regularly updated websites (www.sans.org/top25 and cwe.mitre.org/top25) offer details on how to mitigate against these all too common, but often lethal mistakes. 

According to experts behind the release of this list, these highly misunderstood errors made by programmers can have a huge impact on a company's ability to stay up and running. “Just two of them led to more than 1.5 million website security breaches during 2008 – and those breaches cascaded onto the computers of people who visited those websites, turning their computers into zombies,” the press release noted.

During a press conference right after the announcement, an NSA spokesperson said that the shared creation and release of such critical programming errors and the detailed fixes for them will prompt a huge change in the way organizations tackle security. And if that means safer computing environments that see more programmers better understanding how to integrate security into the software they're building, then it's a big step in the
right direction.


Illena Armstrong is editor-in-chief of SC Magazine.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in Opinions

Sign up to our newsletters

More in Opinions

Me and my job: Chris Sullivan, vice president of advanced solutions, Courion

Me and my job: Chris Sullivan, vice president ...

This month we get to know Chris Sullivan, vice president of advanced solutions at Courion.

Threat of the month: SVPENG

Threat of the month: SVPENG

We take a closer look at SVPENG, malware that's capable of launching two different types of attacks.

Security assessment stability

Security assessment stability

We should be asking if it is worth the cost of constantly switching security assessment companies, says Ken Stasiak CEO, SecureState.