Problems in the writing of software could be caused by a lack of training.
Jacob West, manager of the security research group at Fortify Software, claimed that after working on the CWE/SANS top 25 most dangerous programming errors, he realised that there is a potential problem with a lack of knowledge about building software.
West said: “Most of the people who build software are focused on things other than security, these people are making security-critical decisions on a daily basis, but they can't afford to become security experts as they've got other things to worry about.
“Security is a complicated field and we can't expect everyone to become experts. Software developers and architects, quality assurance testers, and operations engineers all have a wide range of responsibilities.”
He further claimed that the best chance to develop secure software is to get non-experts to make meaningful contributions, and enable them to get security right by teaching skills, tools and arming them with the right processes.
West said: “Despite a sunny outlook, most people building software today have received no formal training on software security. Projects like the OWASP Top 10 and the CWE/SANS Top 25 focus attention on the problems that are causing the most pain, serve as fodder for training programs, and generally increase awareness among non-experts.”