Group Proposes Suits Over Faulty CodeHolding Software Vendors Legally Liable for Errors They Create
"Nearly every attack is enabled by mistakes programmers make that provide a handhold for attackers," Alan Paller, director of research at the SANS Institute, one of the consortium members. "The only way programming errors can be eradicated is by making software development organizations legally liable for the errors. And that can only be done if there is a safe harbor."
A safe harbor provision in a contract reduces or eliminates a party's liability on condition that, in this case, the software develop performs its action in good faith.
But IT security consultant and author Gary McGraw characterized the procurement language as "counterproductive and silly." Said McGraw, chief technology officer at the IT security consultancy Cigital: "My prediction is that there will be zero lawsuits, and that this list will do nothing to provide safe harbor in the case of insecure software. There is much more to building secure software than hunting down 25 bugs."
The standard contract language is based on a draft written for the New York State Office of Cybersecurity and Critical Infrastructure Coordination, headed by long-time CISO Wil Pelgrin. The draft states that the "'highest applicable industry standards' should be defined as the degree of care, skill, efficiency and diligence that a prudent person possessing technical expertise in the subject area and acting in a like capacity would exercise in similar circumstances."
Paller said the use of this contract language helps ensure that buyers aren't held liable for faulty coding. "Software vendors can be held liable for their errors because we now have a definitive minimum standard of due care," he said.
Tuesday's announcement listing the top 25 programming errors mirrors much of last year's report, which was endorsed by the National Security Agency and the Department of Homeland Security's National Cybersecurity Division.
The 2010 list prioritizes its entries using recommendations from 28 different organizations that have evaluated each weakness based on prevalence and importance. The new list introduces focused profiles to allow developers and other users to select the parts of the Top 25 that are most relevant to their concerns. It also provides effective mitigations, to aid in reducing or wiping out entire groups of weaknesses.