Software scores can help secure the Web

Homeland Security, SANS Institute, and Mitre team up on a security scoring system and risk analysis framework. Is it an end to defect-ridden software? No, but it's a start

No one wants defect-ridden, insecure software, but unless your supplier is using a secure development methodology (and many times even then), your company is typically getting exactly that.

On Monday, the U.S. Department of Homeland Security along with the SANS Institute and Mitre will release its latest list of the top 25 coding vulnerabilities for websites. In the past, the list has mainly been of interest to security-conscious developers wanting to make sure to avoid the programming mistakes. This year, however, the organizations also plan to announce a way to prioritize software vulnerabilities using a scoring system and to evaluate risk using a framework for different industries.

Dubbed the Common Weakness Scoring System (CWSS) and the Common Weakness Risk Analysis Framework (CWRAF), the two programs -- both spearheaded by government contractor Mitre -- offer a way of measuring software quality and safety that could dramatically impact the way developers create software. Instead of focusing on features at the cost of security, developers may find themselves held to a contract that mandates a particular score for their deliverables.

"It is shift from whining about [security] to doing something something about it," said Alan Paller, director of research for the SANS Institute, an organization that focuses on IT education.

Also on Monday, the SANS Institute plans to release its third annual list of the top 25 Web vulnerabilities. The most significant flaw in websites are SQL injection vulnerabilities, where a bug in the input validation of a site allows a visitor to issue commands to the database that runs the whole shebang. Such a flaw allegedly allowed the cyber vandals of the LulzSec group to breach several online services offered through Sony Pictures' website. 

Paller acknowledged that the list is nothing without a way for companies to measure whether their own programmers and contractors are adhering to the guidelines. Mandating that a supplier use Microsoft's Secure Development Lifecycle or Adobe's Secure Product Lifecycle means little, as compliance is not security. The scoring system and risk analysis framework will help companies to make sure their Web software vendors are responsible for the most egregious errors.

The SANS Institute, Mitre, and the U.S. Department of Homeland Security will announce the programs on Monday afternoon.

This story, "Software scores can help secure the Web," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Join the discussion
Be the first to comment on this article. Our Commenting Policies