And programmers who don't care about security won't even notice the new list. They figure security is somebody else's job.

But this list isn't a complete waste. There's the germ of a new idea here -- and if we're really lucky, SANS and Mitre will make it a reality.

One of the goals for this new list is that big software buyers will be able to use it to improve software quality. For example, SANS says some state governments are already thinking about requiring software suppliers to certify in writing that their code is free of the errors on the list.

Self-certification? Yeah, good luck with that.

But wait -- there's no special reason why any buyer should have to trust a software provider's word that the code is clean. Why not make third-party certification the standard? Certification companies could get access to the source code, run automated code checks and provide reliable results to software buyers about how clean the code really is.