State of New York takes a major step in Application Security

By Paladion

January 20, 2009

The State of New York has elevated Application Security in a pioneering move. The State of New York's procurement contracts will now include language that takes application security into account. Specifically, programmers wishing to do business with New York will be required to based on newly implemented contract language to read the recently released list of the 25 most dangerous programming errors (More on this below). This effort is fully supported and sponsored by New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIS). CSCIC is responsible for leading and coordinating New York State's efforts regarding cyber security readiness, geographic information systems (GIS) and critical infrastructure preparedness. CSCIC works collaboratively with the public and private sectors to foster communication and coordination. CSCIC also coordinates closely with the NYS Office of Homeland Security (OHS).

This makes perfect sense. New York is the third largest state in population. The state serves its large populace through multiple state wide agencies through the use of internet facing web applications to get them easy access to the various state supported programs.

Web-based applications can pose significant information security risk for organizations and since the majority of them require the collection of private, personal and sensitive information (PPSI), such as Social Security numbers. Making the security of their application a key priority makes sense. Additionally, other NY state-wide agency applications support the transfer and disbursement of funds which again support the need for enhance application security and proper application-level testing. If that wasn't enough reasons most of the states agencies must also comply with multiple federal and state information security mandates, including the Federal Information Security Management Act (FISMA), the New York State Information Security Breach and Notification Act and New York State Cyber Security Policy.

In addition, CSCIS has developed a cyber academy with the state's colleges and universities to educate and train the next generation of programmers about the basics of application development security. This represents another key element in managing and more importantly avoiding application vulnerabilities/erros right at the beginning of the software development cycle.

As mentioned above the reference to the 25 most dangerous programming errors was an output generated by more than 30 U.S. and international cyber security organizations that have joined and come up with this list. The CWE/SANS Top 25 List was compiled with help from organizations and individuals including Apple, CERT, Microsoft, Oracle, Red Hat, to name a few. It is managed by The SANS Institute and Mitre, and funded by U.S. Department of Homeland Security's National Cyber Security Division and the U.S. National Security Agency, both of which also contributed to the development of the list. The hope is that by making these programming errors public, software code, and by extension the nation's cyber infrastructure, will be more secure.

CWE stands for Common Weakness Enumeration, a government-sponsored software assurance initiative. The Top 25 List consists of three categories of programming errors: Insecure Interaction Between Components (nine errors), Risky Resource Management (nine errors), and Porous Defenses (seven errors). Examples of errors in the respective categories include: CWE-20: Improper Input Validation; CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer; and CWE-285: Improper Access Control.

The hope is that the errors list will serve four major purposes:

  1. To make software more secure for buyers by requiring that vendors certify their software is free of these top 25 errors
  2. To incorporate awareness of these errors into software testing tools
  3. To provide information necessary for educators to teach more secure programming techniques and
  4. To provide a guide for employers to determine the abilities of programmers to write code free of these errors


Many of the errors on the list led to the majority of security breaches in 2008. That should not be a surprise, believe it or not most of the errors on the list are not well understood by programmers; secure coding practices are not widely taught by computer science programs; most developers are still only be requested to code of feature and functionality requirements not security requirements. Furthermore application vulnerabilities and errors are frequently not tested by organizations developing software for sale.

Hopefully the attempt made by these groups and by active participants like State of New York in leveraging this body of knowledge is further replicated across all industries and verticals for the purpose of improving the application security in order t o safeguard customer and corporate data.

Tags: contract, state of new york, Uncategorized, application security