Software Testing Blog

Darkreading.com published an article yesterday about a new proposal that could hold software developers accountable for security bugs. Not the “my bad” type of accountable – the legal kind. With support from some high-profile public and private entities, the proposal would likely require developers to make their software free of the CWE/SANS Top 25 Most Dangerous Programming Errors before it’s shipped. Needless to say, such a measure would drastically affect the day-to-day responsibilities of testers.

Stanton blogged about the Top 25 list around this time last year, noting that although it was comprehensive, it lacked meaningful context for testers. It appears that his feedback was incorporated into the 2010 version. Writes Kelly Jackson Higgins:

SANS’ annual list had been criticized by security experts as more of a laundry list rather than offering a solution, but this year the list came with so-called “focus profiles” that broke the programming errors into groups based on categories of weaknesses and also provided mitigation information. The list is in order of priority this year, with failure to preserve Web page structure (think cross-site scripting) as No. 1, and race condition mistakes as No. 25.

Not surprisingly, the proposal has sparked a lively debate among industry participants – testers, developers and consumers. Here’s how the pros and cons boil down:

• Pro: This measure would help protect software consumers from disastrous security bugs, and would give developers and testers a better idea of the standards their product should meet before it hits the market.
• Con: You can’t legislate quality software. Any attempts to put all developers under a one-size-fits-all policy will be futile, disorderly and will increase the costs of software production.

Anyway, I’m interested to hear what those on the front lines think of such a proposal. Yay or nay?