Why are Operating Systems and other Software full of Security Holes?

January 22, 2009

It’s been a bit more than ten years now since the security industry began calling attention to buggy software development practices.  And despite the security industry’s best efforts, most software development companies continue to produce code with security flaws. It seems efforts to draw attention to this matter may finally be having some positive results.  The SANS institute recently reported the upcoming publication of a list of the ten most dangerous programming mistakes.  The list is intended to be used by organizations during the procurement of software as a means of having software development companies “certify” that their product does not contain any of the programming errors that lead to security vulnerabilities.  SANS further reported that only two of the top ten programming mistakes accounted for over 1.5 million Web sites breached in 2008.

Financial institutions should monitor progress in this effort.  The regulatory environment for financial institutions is quite keen to protecting consumer confidence and reducing fears related to computer systems breach and identity theft.  This top ten list could easily evolve into a regulatory expectation that banks and credit unions contractually obligate software vendors to code their programs to be free of these ten security errors.

Current vendor management regulations already require banks and credit unions to perform due diligence about controls when selecting a vendor, to contractually obligate vendors to protect sensitive data, and to monitor vendors to ensure their protection mechanisms are operating effectively.

The top ten list is said to include programming errors that could lead to cross site scripting attacks, SQL injection attacks, hard coded passwords, backdoors, and even the passing of sensitive information without encryption.

TrustCC applauds this effort and encourages every financial institution to hold vendors accountable.

– TrustCC


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: