Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday May 22 2019, @10:44AM   Printer-friendly
from the software-security-is-not-an-aftermarket-accessory dept.

Submitted via IRC for AnonymousLuser

Lack of Secure Coding Called a National Security Threat

The lack of secure coding is a pervasive and serious threat to national security, according to a new paper from the Institute for Critical Infrastructure Technology, a cybersecurity think tank.

Rob Roy, an ICIT fellow who was co-author of the report, suggests in an interview with Information Security Media Group that an app standards body could play an important role in improving app security.

"If there were some objective standards put in place that all software would have to abide by, then we could start to make progress," Roy says. "It may just be that there needs to be an objective standard ... and a legislative mandate that requires a certain level of assurance to provide an assured product."

The "call to action" report, "Software Security Is National Security: Why the U.S. Must Replace Irresponsible Practices with a Culture of Institutionalized Security," discusses systemic issues with the software development landscape and what needs to be done to rectify the problem of negligent coding. But solving the problem won't be easy, given the problems of speed-to-market pressures and the sheer number of IoT devices being produced, the report notes.

[Ed Note - for those Soylentils that are software developers, does your company provide training/mentoring on how to develop secure software?]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by loic on Wednesday May 22 2019, @12:08PM (3 children)

    by loic (5844) on Wednesday May 22 2019, @12:08PM (#846157)

    Unsecure code is not a matter of bad coding practices, it is a matter of project management. Good security practices are expensive and nobody wants to pay for it. And it seems like companies are right because so far it is mostly cheaper to pay for security cover-ups than to pay to secure software.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 2) by JoeMerchant on Wednesday May 22 2019, @12:58PM

    by JoeMerchant (3937) on Wednesday May 22 2019, @12:58PM (#846173)

    so far it is mostly cheaper to pay for security cover-ups than to pay to secure software.

    So far. From the company perspective. From the customer perspective, events like WannaCry have been hugely expensive, not only the direct cost of the event itself, but the institutional reactions, over-reactions, and missed golf games while executives are dragged into meetings to explain what they're doing to prevent a recurrence.

    --
    🌻🌻 [google.com]
  • (Score: 2) by The Mighty Buzzard on Wednesday May 22 2019, @01:10PM (1 child)

    Eh... It's a matter of both, really. If your project management types don't know what to say OMGWTFBBQ over, you're going to get bad code. If your peon types don't know how to not fuck shit up, they're going to fuck shit up. You can automate away some of the responsibility but automation will never fully replace someone who knows what they're doing. Ideally you should do automated testing, have project managers who can spot bullshit a mile away, and peons who get educated by project managers when they write bad code.

    --
    My rights don't end where your fear begins.
    • (Score: 0) by Anonymous Coward on Wednesday May 22 2019, @10:58PM

      by Anonymous Coward on Wednesday May 22 2019, @10:58PM (#846409)

      have project managers who can spot bullshit a mile away

      The existence of such managers is hypothetical or a matter of a theoretical artifice, like the zero level energy.
      Such managers have a half-life in the order of femto-seconds, no stable state is known for them.
      It may be because the very notion of 'manager' requires a level of bullshit to be present; this leads their bullshit detector to self-trigger and bring them in a highly excited state; from which they'll decay spectacularly in managers without bullshit detection capabilities or forever grumbling engineers.