http://gcn.com/articles/2009/01/19/list-creates-software-security-squabble.aspx By William Jackson GCN.com Jan 19, 2009 The release earlier this month of a consensus list of the most serious programming errors to be avoided has garnered quite a bit of attention, some of it predictably negative. Bloggers who are amusing themselves by dissing the effort seem to be missing the forest for the trees. They dismiss the list because it is not an absolute and perfect solution to software security, and ignore the benefits it might provide. Development of the list, available online, was managed by the Sans Institute and Mitre Corp. with support from the National Security Agency and the Homeland Security Department's National Cyber Security Division. It represents a consensus of the most significant errors on which the IT community should concentrate. The idea is that an industrywide consensus, culled from the more than 700 errors detailed in the Common Weakness Enumeration database, can be used to standardize requirements for software procurements, to prioritize remediation of legacy applications and to help educate coders. The detractors are unhappy essentially because no Top-N list is all-inclusive. The whole idea of these lists is that some things get left out, and that upsets some people. "Security is a big deal, it's not a list," says Gwyn Fisher, chief technology officer of Klockwork in his Klocktalk blog. Yes, security is a big deal. But Fisher makes a big assumption in declaring that "what's outside that list is just as important as what made the cut." The compilers of the most recent list, which represents a broad range of the people in the IT community, apparently disagree. They decided that what is inside the list is more important. Are they right? That is open to argument. But to summarily dismiss the effort simply because the list included some elements and excluded others is unfair. That's the nature of a list. [...] _______________________________________________ Please help InfoSecNews.org with a donation! http://www.infosecnews.org/donate.htmlReceived on Mon Jan 19 2009 - 22:21:21 PST
This archive was generated by hypermail 2.2.0 : Mon Jan 19 2009 - 22:29:11 PST