Comment Re:Undefined requirements (Score 1) 145
There is an industry effort to define a "watch list" for common mistakes that lead to security flaws. Co-led by the folks behind the Common Weakness Enumeration at MITRE and the SANS Institute, the SANS Top 25 (full listing here) is being used as a requirements document for the security of purchased applications by the State of New York, among others.
It's not perfect--it omits backdoors and other intentional security flaws, among other categories--but it's better than nothing, by a long shot.
Disclaimer: I work at Veracode and was a co-author of the report that the original article was about.