Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday May 22 2019, @10:44AM   Printer-friendly
from the software-security-is-not-an-aftermarket-accessory dept.

Submitted via IRC for AnonymousLuser

Lack of Secure Coding Called a National Security Threat

The lack of secure coding is a pervasive and serious threat to national security, according to a new paper from the Institute for Critical Infrastructure Technology, a cybersecurity think tank.

Rob Roy, an ICIT fellow who was co-author of the report, suggests in an interview with Information Security Media Group that an app standards body could play an important role in improving app security.

"If there were some objective standards put in place that all software would have to abide by, then we could start to make progress," Roy says. "It may just be that there needs to be an objective standard ... and a legislative mandate that requires a certain level of assurance to provide an assured product."

The "call to action" report, "Software Security Is National Security: Why the U.S. Must Replace Irresponsible Practices with a Culture of Institutionalized Security," discusses systemic issues with the software development landscape and what needs to be done to rectify the problem of negligent coding. But solving the problem won't be easy, given the problems of speed-to-market pressures and the sheer number of IoT devices being produced, the report notes.

[Ed Note - for those Soylentils that are software developers, does your company provide training/mentoring on how to develop secure software?]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by The Mighty Buzzard on Wednesday May 22 2019, @10:58AM (4 children)

    We don't around these here SN parts aside from telling new devs to use the pre-written SQL subs that we already know are done properly instead of rolling their own.

    --
    My rights don't end where your fear begins.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Wednesday May 22 2019, @11:35AM (2 children)

    by Anonymous Coward on Wednesday May 22 2019, @11:35AM (#846145)

    And you're highly motivated volunteers! ... out in the wild, your security concerns will be squashed since they are seen as unproductive costs the moment you're proposing anything beyond whatever has been a legislative requirement. ... imo/ime, it turns out that the more external dependencies client-sites have, the worse their internal attitudes toward security, user-privacy and overall good-practices is.

    • (Score: 2) by The Mighty Buzzard on Wednesday May 22 2019, @12:12PM

      Well, that's all new devs really need to know. Bad code anywhere else is going to be highly obvious if they can even manage any. Admins are another story.

      --
      My rights don't end where your fear begins.
    • (Score: 2) by J053 on Wednesday May 22 2019, @08:35PM

      by J053 (3532) <dakineNO@SPAMshangri-la.cx> on Wednesday May 22 2019, @08:35PM (#846371) Homepage
      In a way, that makes sense. If your site is highly dependent on outside resources (libraries, frameworks, etc.), then at some level no matter what you do internally to promote or enforce secure coding an error in one of the dependencies can completely negate all of your efforts. So, fuck it.
  • (Score: 3, Insightful) by Nerdfest on Wednesday May 22 2019, @12:02PM

    by Nerdfest (80) on Wednesday May 22 2019, @12:02PM (#846152)

    I took a whole series of courses on secure coding and design in 2005 or so, and have been to several training sessions on secure design, etc. It's not that the knowledge isn't out there, or is hard to find, it's the same as the rest of the problems in software these days. The people coding are too inexperienced, too indifferent, and too rushed. Even if people just had a look at the list of top concerns from here [mitre.org], it would have a huge impact. As with everything else in software these days, I doubt things will improve quickly.