Step 1: Legislation
Not sure how we've associated improved and secure coding practice with legislation?
SANS and other progressive security thinktanks have created a list of 25 security mistakes. In response, a state, I think New York, is considering legislation to ensure that code produced for the state doesn't have one of the errors.
This is genius! Who needs giving our coding houses a chance to learn the information and find tools to prevent the errors? We'll accomplish all of that with this country's favorite tool: Legislative Fiat.
What is the likely result of this? Petty, frivolous lawsuits against coding houses, struggling to survive in a tough economy? Massive legal actions against others practicing contributory negligence, including (in no set order):
- Operating System vendors
- Hardware vendors
- Compiler vendors
- Pretty much anyone remotely involved in software creation or patching or execution processes?
Maybe I'm wrong, but I think the move to legislate security compliance may just be another shot in the dark that produces few actual achievements.