DHS releases software security scoring system

28.06.2011
The Department of Homeland Security (DHS), along with the SANS Institute and Mitre, released a scoring system on Monday designed to help enterprises verify whether the software they are using meets reasonable standards for secure coding.

The organizations released an updated list of the found in software, and a measuring system that lets enterprises score the of their software based on the presence or absence of those flaws.

The goal is to give enterprises information that will let them make more informed decisions regarding the security of their software, said Alan Paller, director of research at SANS.

The hope is that organizations within the private sector and government will use the Top 25 list and scoring system during the software procurement process, he said.

"Companies and not-for-profits that build or buy Web services and software do not have a reliable way to know whether the software they are using is protected against common attacks," Paller said.

The key missing ingredients have been a credible, validated list of the most dangerous errors programmers make, and a way to test the software to see whether those errors are present, he said.