Wysopal says large organizations in finance, government, or that run applications associated with "life or limb" applications are already including language in their large software contracts that hold their vendors accountable for clean software.
But the legal implications of secure coding contracts remain unclear. "I don't see an organization being held accountable when they submit their software for testing, get a clean bill of health, and later a defect is found that was missed," Wysopal says. "We know the state-of-the-art is not 100 percent."
Cigital's McGraw says software developers don't need to be forced to do the right thing: "They need to know what the right thing is," he says. "It's more important to teach them how to do it right than how to avoid a thousand bugs."
And many developers aren't even aware of secure coding issues at all, which the Rugged Software Development initiative, launched last week, aims to remedy by reaching out to the masses about secure development practices. Joshua Corman, research director for the enterprise security practice at The 451 Group and a co-founder of Rugged, says Rugged hopes to inform and steer developers toward secure coding efforts, such as the Top 25.
"This is very complementary to Rugged," Corman says of the SANS Top 25 list. "We would serve as a catalyst or on-ramp to help people learn of the Top 25."
Thus far, efforts to preach secure coding to developers haven't worked, he says. "What we want is people to care about security and developing rugged code," Corman says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.