The National Institute of Standards and Technology (NIST) published a report last month, Safer, Less Vulnerable Software Is the Goal of New NIST Computer Publication:
We can create software with 100 times fewer vulnerabilities than we do today, according to computer scientists at the National Institute of Standards and Technology (NIST). To get there, they recommend that coders adopt the approaches they have compiled in a new publication.
The 60-page document, NIST Interagency Report (NISTIR) 8151: Dramatically Reducing Software Vulnerabilities, is a collection of the newest strategies gathered from across industry and other sources for reducing bugs in software. While the report is officially a response to a request for methods from the White House's Office of Science and Technology Policy, NIST computer scientist Paul E. Black says its contents will help any organization that seeks to author high-quality, low-defect computer code.
"We want coders to know about it," said Black, one of the publication's coauthors. "We concentrated on including novel ideas that they may not have heard about already."
Black and his NIST colleagues compiled these ideas while working with software assurance experts from many private companies in the computer industry as well as several government agencies that generate a good deal of code, including the Department of Defense and NASA. The resulting document reflects their cumulative input and experience.
The report recommends five main approaches as described in lay terms in this infographic.
The report is available at: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8151.pdf
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @02:11AM
Read about RISC-V; it's a royalty-free ISA, with many burgeonining "open-source" implementations from the embedded to the general-purpose.
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @02:15AM
Go read up on the ISA/ABI. It has a number of limitations in it compared to modern general purpose processors, a number of which were brushed off as unnecessary or saved for a later revision of the standard. I don't remember them all off the top of my head, but it should be easy to find reading over the RISC-V website or forums discussing RISC-V.
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @02:27AM
You are thinking of OpenRISC.
In contrast, RISC-V is designed to be modular and extensible; indeed, there is nothing scary about "future" development, as the entire architecture has been designed for revision.
That being said, RISC-V supports both contemporary ideas for general purpose computing, as well as novel ideas.
(Score: 1, Funny) by Anonymous Coward on Tuesday January 03 2017, @02:15AM
We need an app that apps apps because only apps can app apps!
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @02:32AM
Sure. And write it in Ada to minimize bugs...
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @02:48AM
The last time I wrote something nontrivial in Ada I found bugs in the compiler because nobody uses the Ada compiler often enough to notice bugs.
(Score: 2) by Snotnose on Tuesday January 03 2017, @06:51AM
The last time I wrote something non-trivial in ADA I ended up finding another job before it finished compiling.
This was 90/91, first generation of ADA compilers, it really sucked.
I came. I saw. I forgot why I came.
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @08:22AM
GCC has an Ada compiler, it's slightly better now.
(Score: 2) by bradley13 on Tuesday January 03 2017, @06:56PM
This was 90/91, first generation of ADA compilers
That can't quite be right, seeing as I wrote my Masters' Thesis in Ada in 1986. The compilers had a few bugs, but they were easy enough to work around. Anyway, that was to be expected given the size of the language.
By 90/91 you were surely living in the compiler-land of milk and honey...
Everyone is somebody else's weirdo.
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @03:35AM
What opinion do LUDDITES have of this?
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @04:01AM
Luddites disable apps! Did you know you can disable Google Keyboard! You Luddite! Every app has crashed!
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @02:36AM
COBOL. RPG. Fortran. Basic.
The rest are not real languages, just a bunch routines that are not a unified language between them
(Score: 2) by Snotnose on Tuesday January 03 2017, @03:17AM
I've done several projects that were small scope, then got sold with minor changes outside of anything I ever considered when developing the code.
You pay me $120/hr to develop software according to your specs, I develop the software to your specs. I don't spend an extra hour or three thinking about potential security issues when you resell my code outside of what you contracted me to develop. To be honest, to do so would be dishonest on my part.
I came. I saw. I forgot why I came.
(Score: 2) by Runaway1956 on Tuesday January 03 2017, @03:26AM
It's the old refrain. Make it "good enough", and push it out the door. Ease and convenience are primary concerns, security and vulnerability can be addressed some time in the future - maybe. If we get around to it.
The world would be so much better off, if we all relied on Unix-like operating systems. We see the "good enough" business in the Linux world. The difference is, it's all open source, so that when it is NOT "good enough", someone can fix it. In the Windows world, the Apple world, and increasingly in the Android worlds, there is no one to fix the closed source binary globs.
Yes, there really needs to be some kind of standard for security. Watch Microsoft stand in the way of any such efforts though. If Windows is to remain closed source, it would cost Microsoft tons of money to meet any reasonable standards. And, we know damned well that MS won't open source their code. That just ain't happening.
Apple? The walled garden will probably survive the institution of decent standards. Apple, under the hood, is a Unix-like, after all. It would be expensive for Apple to meet stringent standards, but they could do it, and pass the cost on to those who believe in Apple.
Android? The jury is still out on that. Google needs to step up to the plate, and rescue their brain child. Android is being royally screwed, primarily by the telcos that insist on locking down their phones.
Abortion is the number one killed of children in the United States.
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @03:47AM
Quality, time tested open source code like OpenSSL?
Here is a piece of code that much of the world had been using for years, it was crap, and devasting bugs were found only after YEARS in this library which was open source for all the world to see. Too bad nobody cared to look.
You say you can always fix open source, but this widely used library was so bad they chucked it and wrote a replacement in LibreSSL.
I am not saying closed source is necessarily better than open. Open or closed can be complete crap, and having programmed for over 20 yrs, I am forced to use a LOT of high profile but CRAP open source. I would say code quality is about the same between open and closed and that writing a replacement library is FREQUENTLY easier than getting the egocentric maintainers of a buggy library to accept a code fix from the outside.
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @05:00AM
Quality, time tested open source code like OpenSSL?
You're going for a nirvana fallacy? Typical. Nothing is perfect. Countless proprietary programs had severe bugs that were discovered and fixed years after they were introduced as well, so it's not as if the same thing doesn't apply there as well. I'd argue the difference is that, with free software (not "open source"), you have the freedom to inspect the source code, the freedom to fix bugs yourself, the freedom to hire others to inspect the source code, the freedom to give the community the altered source code so that everyone can benefit, and so on. With free software, you are not completely dependent upon a particular developer or company, unlike with proprietary software; this gives you more options than just 'Take it or leave it.' While free software is not always perfect, it is oftentimes superior; you might be able to point out a horrible bug in some free software programs, and I could just as easily point to a million similar instances in proprietary software. I'd also argue that it's an ethical imperative for software to respect users' freedoms, so even if some free program is inferior to its proprietary equivalent in a technical sense, the free software is still better because it respects your freedoms.
(Score: 2) by maxwell demon on Tuesday January 03 2017, @07:51AM
With rare exceptions (like DRM), software neither respects nor disrespects users' freedoms. The license does, however.
Note that the very same software can be available under vastly different licenses.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1) by RS3 on Tuesday January 03 2017, @05:41PM
Is Scott Adams here on SN somewhere? Today's Dilbert http://assets.amuniversal.com/a1fcce70a905013416c3005056a9545d [amuniversal.com]
(Score: 2) by MichaelDavidCrawford on Tuesday January 03 2017, @03:31AM
that's less likely to happen than the solution to drunk driving and extramarital affairs.
Look we know all kinds of ways to make our software and servers more secure, yet our databases still use in-band signalling.
I personally cannot be bothered to run Windows update. I find it very disruptive. Surely I'll get cryptolocked someday but when I do I'll throw my Acer in the Willamette River then purchase a new one.
I am convinced that widespread security is just never going to happen.
Yes I Have No Bananas. [gofundme.com]
(Score: 1, Touché) by Anonymous Coward on Tuesday January 03 2017, @04:14AM
Surely I'll get cryptolocked someday but when I do I'll throw my Acer in the Willamette River then purchase a new one.
How could you be so wasteful?
Give a poor homeless man a job and a little bit of money and he immediately starts acting like a rich asshole.
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @04:23AM
Personal responsibility has nothing to do with it. If you want to ensure it happens, write it into the contract as a deliverable or make it part of your company's official process for non-contracted software.
Have a security standard to follow with a standard test suite. This is common on Defense projects.
--Ashley
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @11:59AM
I will not take personal responsibility for you or anyone other than myself.
I have not hurt systems or generations of systems, because I am not a traitor. Those who sell off everyone for a little financial gain deserve to be punished, as only they benefited from it.
You can count on me to NOT take personal responsibility for other people. Each one is different, and the title of your post is a brainwashing attempt so people would take "personal responsibility" for everything, even for those whose treasonous tendencies are not just about financial gain.
(Score: 0, Redundant) by jb on Tuesday January 03 2017, @04:00AM
How does that work?
If, say, the hypothetical software that needed improving had 1 vulnerability, its shiny new replacement with "100 times fewer vulnerabilities" would presumably have -99 vulnerabilities -- how is that even possible?
The only input for which the phrase "100 times fewer vulnerabilities" makes any sense, is starting with zero vulnerabilities (in which case, no effort is required to achieve the 100-fold reduction).
Perhaps what they really meant "one one hundredth as many vulnerabilities" -- an admirable goal, but perhaps better expressed as "99% fewer vulnerabilities"...
Given the importance of accurate mathematics to writing (as near as possible to) bug-free code, they don't seem to have got off to a very good start...
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @06:02AM
Marketdroid-speak...
Advertisers have to spend one or two minutes full of nonstop verbiage, yet not commit to a thing. Undefined variables are their lifeblood.
100 times fewer vulnerabilities than what? Up to dream performance for only $xxx* ( * other charges may apply ). Order now and we will include another one FREE! Just pay a separate fee.
Three month trial! Try today! Only $19.95 ( What they did not say is the price for the item is $500... the $19.95 was for the trial! ).
Fair and honest bidding site! I-Pod sold for $7.96! ( Did not include the price of bids... ).
Order a bottle of pills and we will send you another bottle FREE! ( They will still charge you for the pills though... but they will send it in the same box ). ( Also, if the ad-head said it would send another bottle, does the second bottle even have any pills in it? ).
Experience has taught me to listen very critically to what an ad-head says. Can't help but look around for the air compressor, as the voluminous expulsions of air leaving those things, along with the frenzied facial expressions, lead me to believe most advertisers are pneumatically driven.
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @07:53AM
Only features and glitz sell. Let's see how soon the IoT craze will kill the internet...
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @12:30PM
Software may be only as safe as the OS it runs on. And the hardware the OS runs on.
Sadly, some people have attempted to equate safe with slow. Today's software is slower than it has ever been. Bad, slow, unsafe frameworks are being sold as replacement for good programmers and good code. The lowest bidder gets the contract so security and safety are not present.
And the whole "updates" crap we've been brainwashed with. The thing to check is: If it requires updates, then DO NOT USE that software. All updates are suspicious. I am not your beta tester.
And don't talk to me about "automated test tools" and "automated verification tools". No one can verify software except an able programmer. Automated tests stop good programmers from doing useful work.
Dumb manager: "you need to write test cases to verify that your software works"
Me: "fuck you"
(Score: 2) by tibman on Tuesday January 03 2017, @09:15PM
I disagree on automated tests stopping good developers from doing useful work. With automated tests you can refactor code or modify existing features and quickly verify that the existing functionality is intact. I've also found them extremely useful when recreating and resolving bugs and edge cases. I can just write a test that proves the issue exists and then modify the production code to pass the test and resolve the issue. With that test in place another developer can't come along and re-introduce the same issue.
You say that "No one can verify software except an able programmer." As an "able programmer", write the tests that verify your software. Now it is automated for you. Most programmers automate the tedious manual tasks they are asked to do.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by fubari on Tuesday January 03 2017, @10:04PM
The Fine Article seems like a solid writeup, an interesting read (if rather dry). They review a lot of current research ares. Formal methods, for example - lots has happened here since I last looked at it.
This will take me some time to digest, but it seems well worth while for the practicing programmer - even if you only read it to learn about what you and your team are not doing.