Vendor Management

Group Proposes Suits Over Faulty Code

Holding Software Vendors Legally Liable for Errors They Create
Group Proposes Suits Over Faulty Code
A consortium of 30 international cybersecurity organizations, in releasing Tuesday an update of the 25 most dangerous programming errors, have proposed standard contract language that would hold software vendors liable for programming errors.

"Nearly every attack is enabled by mistakes programmers make that provide a handhold for attackers," Alan Paller, director of research at the SANS Institute, one of the consortium members. "The only way programming errors can be eradicated is by making software development organizations legally liable for the errors. And that can only be done if there is a safe harbor."

A safe harbor provision in a contract reduces or eliminates a party's liability on condition that, in this case, the software develop performs its action in good faith.

But IT security consultant and author Gary McGraw characterized the procurement language as "counterproductive and silly." Said McGraw, chief technology officer at the IT security consultancy Cigital: "My prediction is that there will be zero lawsuits, and that this list will do nothing to provide safe harbor in the case of insecure software. There is much more to building secure software than hunting down 25 bugs."

The standard contract language is based on a draft written for the New York State Office of Cybersecurity and Critical Infrastructure Coordination, headed by long-time CISO Wil Pelgrin. The draft states that the "'highest applicable industry standards' should be defined as the degree of care, skill, efficiency and diligence that a prudent person possessing technical expertise in the subject area and acting in a like capacity would exercise in similar circumstances."

Paller said the use of this contract language helps ensure that buyers aren't held liable for faulty coding. "Software vendors can be held liable for their errors because we now have a definitive minimum standard of due care," he said.

Tuesday's announcement listing the top 25 programming errors mirrors much of last year's report, which was endorsed by the National Security Agency and the Department of Homeland Security's National Cybersecurity Division.

The 2010 list prioritizes its entries using recommendations from 28 different organizations that have evaluated each weakness based on prevalence and importance. The new list introduces focused profiles to allow developers and other users to select the parts of the Top 25 that are most relevant to their concerns. It also provides effective mitigations, to aid in reducing or wiping out entire groups of weaknesses.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network