Experts reboot list of 25 most dangerous coding errors
Heal thy apps
Computer experts from some 30 organizations worldwide have once again compiled a list of the 25 most dangerous programming errors along with a novel way to prevent them: by drafting contracts that hold developers responsible when bugs creep into applications.
The list for 2010 bears a striking resemblance to last year's list, which was the first time a broad cross section of the world's computer scientists reached formal agreement on the most common programming pitfalls. The effort is designed to shift attention to the underlying mistakes that allow vulnerabilities to happen in the first place.
The updated list was spearheaded by the not-for-profit MITRE Corporation, the Sans Institute, the National Security Agency, and the US Department of Homeland Security's National Cyber Security Division. Topping the vulnerabilities list are XSS (cross-site scripting), SQL injection, and buffer-overflow bugs. The 25 flaws are the cause of almost every major cyber attack in recent history, including the ones that recently struck Google and 33 other large companies, as well as breaches suffered by military systems and millions of small business and home users.
Its release on Tuesday coincided with a renewed push for customers to hold software developers responsible for the security of their products. Security experts say business customers have the means to foster safer products by demanding that vendors follow common-sense safety measures such as verifying that all team members successfully clear a background investigation and be trained in secure programming techniques.
"As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you," the introduction to Tuesday's list states. It includes this draft contract with other terms customers should request. ®
I have a better idea.
Instead of contracts to shift liability for bugs to the coders involved, how about we start a program of corporate education. We could call it "you get what you pay for."
I fail to understand how running your coders 18 hours a day, with no vacation for years, paying them barely enough to survive while either being already outsourced to some third-world code sweatshop or constantly under threat of same is supposed to produce good code.
Pay your coders well so they are enthusiastic. Give them vacation time between projects to decompress. Allow them to work sane hours so that they are well rested and their minds are fresh. Remove from them the constant stress of “fear of losing my job.”
Suddenly you have well trained coders who have their wits about them and care about their work. The code these folks produce will be better than that churned out by the folks at the code sweatshop.
The only way to make good code is to hold the management and directorship of the businesses involved personally liable for the quality of code they commission.
Coding Malpractice Insurance anyone?
If you're going to treat coders like doctors and sue them for malpractice, you have to give them the absolute authority to do it right. That means the authority to determine how long it will take, and what techniques and tools will get used. The coders don't make those decisions now, except in a few rare instances, management does-- in the name of "getting the product to market in a timely fashion."
Not only that, coding is a team effort, and often ancient preexisting code and libraries are foisted upon coders who have neither the time nor expertise to fully understand what risks may be contained in their newly-found inheritance.
If you're going to treat them like doctors, they have to have the same sort of authority, the authority to actually make the decisions relevant to their responsibilities. And you'll have to pay them about three times as much. Any takers? I thought not.
This "holding responsible" thing is the greatest idea ever. But why stop at developers?
Let Microsoft, Apple, Adobe. Symantec, Quicken and a raft of others be held responsible for material losses incurred as a direct result of their software not coming up to snuff, not matter what weasle words are written in the EULA.
Let those insidious wreckers of reputations, the credit bureaus, be held responsible for the crappy state of their records and the reprehensibly wide latitude in their queries used to construct the credit reports that are forwarded to banks, employers, police etc. I've never seen such shoddy work.
Let the IRS be held responsible for proving what they allege as to your financial cheating of the state *before* they are allowed to enact draconian measures to "ensure compliance".
Let idiots who ignore the noises coming from an apartment and the obviously battered appearance of a child who lives there for years , then criticize the welfare authorities and/or police when that child is killed by a "guardian" take responsibility for their callous disregard for the consequences of their "minding their own".
Let jurors take responsibility for their verdicts without the now-mandatory "not *my* fault" interview on national TV after the case is over.
Let the Police rather than the taxpayers take responsibility for monetary damages awarded in respect of injuries sustained as the result of misconduct. Let people sue the pension funds instead of the state and the blue wall of silence would soon crumble.
By jimminy, this anything but obvious idea has legs!