SoylentNews is people
SoylentNews
from the software-security-is-not-an-aftermarket-accessory dept.
Submitted via IRC for AnonymousLuser
Lack of Secure Coding Called a National Security Threat
The lack of secure coding is a pervasive and serious threat to national security, according to a new paper from the Institute for Critical Infrastructure Technology, a cybersecurity think tank.
Rob Roy, an ICIT fellow who was co-author of the report, suggests in an interview with Information Security Media Group that an app standards body could play an important role in improving app security.
"If there were some objective standards put in place that all software would have to abide by, then we could start to make progress," Roy says. "It may just be that there needs to be an objective standard ... and a legislative mandate that requires a certain level of assurance to provide an assured product."
The "call to action" report, "Software Security Is National Security: Why the U.S. Must Replace Irresponsible Practices with a Culture of Institutionalized Security," discusses systemic issues with the software development landscape and what needs to be done to rectify the problem of negligent coding. But solving the problem won't be easy, given the problems of speed-to-market pressures and the sheer number of IoT devices being produced, the report notes.
[Ed Note - for those Soylentils that are software developers, does your company provide training/mentoring on how to develop secure software?]
(Score: 0) by Anonymous Coward on Wednesday May 22 2019, @01:56PM (8 children)
Like safety, security costs money. It is extra effort. It is similar in approach to safety.
A security process would have to be similar to DO-178, the safety process. It would also have to be a holistic software development approach which includes significantly more testing and attention to security details.
It is a specialized set of skills which your average programmer won't have just by wishing it into existence. Your average bonehead programmer can barely write a doubly-linked list properly, let alone an input routine that doesn't suffer from buffer overflows or sql injection. Heck, big ol' Intel can't even make their processors work securely.
In short, it won't happen for the vast majority of software because it is too expensive: no one will pay for it.
(Score: 0) by Anonymous Coward on Wednesday May 22 2019, @02:33PM
Done.
My routines don't suffer from buffer overflows, they enjoy them!
No chance. I certainly won't go to the trouble of implementing SQL for my home-grown poorly documented and poorly debugged data storage routines.
See? My programs are perfectly secure! ;-)
(Score: 2, Insightful) by Rupert Pupnick on Wednesday May 22 2019, @02:38PM (6 children)
Agreed, and waving flags about “threats to national security” are not going to fund the needed development.
Lots of people will have to be inconvenienced or harmed before there are any organized reforms. Taking note of the fact the Boeing CEO still has his job, it seems that a disaster of very large proportions will have to happen before anything changes.
(Score: 2) by All Your Lawn Are Belong To Us on Wednesday May 22 2019, @02:57PM (5 children)
Not sure about that. A "threat to national security" means the government can spend money on it as a priority. And we have a President who is apparently willing to declare things emergencies because he feels like they should be rather than matching objective criteria.
Not that this the government spending money will automatically fix things, either. And not that every single line of code written needs to be secure, either, come to that.
This sig for rent.
(Score: 2, Insightful) by Rupert Pupnick on Wednesday May 22 2019, @05:04PM (1 child)
Yes, I didn’t mean to suggest that money wouldn’t be spent, only that it won’t fund the organizations and businesses that have the expertise to address and fix the problem. Any money will go to a Blue Ribbon Expert Panel on Cybersecurity whose members will be appointed after a Nationwide Search [tm].
(Score: 2) by All Your Lawn Are Belong To Us on Thursday May 23 2019, @03:26PM
Was going to comment last night. Figured you actually might have meant something like that, and well said.
This sig for rent.
(Score: 4, Interesting) by krishnoid on Wednesday May 22 2019, @08:36PM (2 children)
From the green site [slashdot.org], "The reality is that security is not something you can buy; it is something you must get."
(Score: 2) by All Your Lawn Are Belong To Us on Thursday May 23 2019, @03:24PM (1 child)
I'd suggest that security is something that is not an absolute. This is why security departments are often attached to Risk Management divisions in corporations. As one who's worked in the security field I'd note you can't "get security" either, you only may obtain some measure of it.
How one obtains any security without the expenditure of money is beyond me, except in the sense that if one has literally nothing of value to lose and one wants it that way then one does not need security. One can pay an exorbitant amount for guns and guards and locks and cameras and not feel secure, true. But one cannot feel secure without having made an expenditure towards obtaining that which provides that feeling except as above. And in the context of this article (corporate security) one can certainly have objective metrics about the measures one has put in place to attain security, and one can document the failures of those measures to have provided security. That's the point of TFA, isn't it? The lack of attention paid to measures to attain a measure of security in coding are deficient to the point where it is a national-level problem now.
This sig for rent.
(Score: 2) by krishnoid on Friday May 24 2019, @08:11AM
See? This guy gets it.