Last month, the Department of Homeland Security joined Mitre Corp. and the SANS Institute provided an important service in highlighting the top 25 most dangerous software errors that lead to today’s most common security breaches.

The newly revised ranking calls out many of the mistakes made by developers while creating new code, such as SQL injection, OS command injection and buffer overflow.

While I appreciate the spirit behind the top 25 list, I can’t help but wonder whether the naming the list is a bit like wrestling alligators in a swamp. Why not just drain the swamp? Or, similar to a group of doctors identifying the most dangerous symptoms – isn’t it better to address the underlying disease first?

The software industry is in a state of crisis – not because it can’t recognize the most dangerous threats but because many applications developers are still paying little attention to security in the first place. Here at (ISC)2, we consistently hear complaints from our members that those who write the software in their organizations are not properly educated on security issues and are too busy rushing to get applications out the door to properly vet their code before it’s deployed.

Why hasn’t security become a more critical element in the government’s evaluation of a software developer’s performance?

Part of the problem is that there isn’t enough incentive for the average programmer to implement secure development practices. Most developers are still evaluated more by speed of completion than by the quality of their code, and most are still willing to trade functionality for security, even though a single security breach may cost agencies their reputation and citizens their privacy.

The other part of the problem lies with the fact that until the 2011 National Defense Authorization Act (NDAA) was signed into law by President Obama on January 7, 2011, no major provision focusing on protecting and defending the software layer existed. This helped to bring software security into the mainstream and communicate the priority to government agencies.

What government and industry needs is not another Top 25 list or even a more effective secure software development framework. We need to take a holistic approach to the software problem and develop a true *discipline*, a school of thought that brings developers to the world of security and educates them in a consistent, ongoing fashion.

(ISC)2’s own Certified Software Lifecycle Professional (CSSLP) program is at least a start toward instilling this approach and building this discipline, providing not only specific security requirements for a software developer to meet, but also an ongoing, structured curriculum that evolves with the changing threats that are emerging on a constant basis.

If government is to eliminate the application vulnerabilities that so often lead to security breaches, we must begin to instill a holistic approach and develop a discipline that can be implemented and followed by all software developers. Until we do that, we’re only wrestling alligators – we’re not draining the swamp.

Mr. Tipton is executive director of (ISC)2 , the world’s largest non-profit body for certifying information security professionals; he is also the former Chief Information Officer of the U.S. Department of Interior and recipient of the President’s Distinguished Rank Award.