The Top-25 list has a good chance to gain the support of the incoming administration.

Paul Kurtz, executive director of the Software Assurance Forum for Excellence in Code (SAFECode), was one of the more than 30 international cybersecurity experts that contributed to the Top-25 list. Kurtz is also a member of Obama's transition team, an author of the Bush Administration's National Strategy to Secure Cyberspace and a member of the Commission on Cybersecurity for the 44th Presidency, which penned the recommendations for the Obama administration.

"This will derive better coding into the software industry," Kurtz said of the list. "Consumers and customers will have a better expectation of what is secure code... It should have happened a long time ago, but now we are getting better coordination."

For now, the U.S. government has not committed to requiring vendors to eliminate the weaknesses from software delivered under contract, but some state governments are adopting the language, including New York, according to SANS's Paller. Highlighting the issue, the director of research described the travails of a large firm that had to pay a vendor 145 percent of the contract price to fix all the vulnerabilities in a piece of software.

"They ran tests on it and found numerous security flaws," Paller said. "They asked the vendor to fix the security issues, but the vendor refused, saying they had delivered a program that met the specifications."

Requiring that vendors eliminate all errors on the Top-25 list as part of future contracts should go a long way toward eliminating the most severe security issues, he said.

Paller has long argued that the sure way to eliminate serious security vulnerabilities is to give government and corporate customers a way to hold their vendors accountable for shipping flawed software. With the Top-25 list, he may have finally come up with a way to do just that.

If you have tips or insights on this topic, please contact SecurityFocus.