from the software-security-is-not-an-aftermarket-accessory dept.
Submitted via IRC for AnonymousLuser
Lack of Secure Coding Called a National Security Threat
The lack of secure coding is a pervasive and serious threat to national security, according to a new paper from the Institute for Critical Infrastructure Technology, a cybersecurity think tank.
Rob Roy, an ICIT fellow who was co-author of the report, suggests in an interview with Information Security Media Group that an app standards body could play an important role in improving app security.
"If there were some objective standards put in place that all software would have to abide by, then we could start to make progress," Roy says. "It may just be that there needs to be an objective standard ... and a legislative mandate that requires a certain level of assurance to provide an assured product."
The "call to action" report, "Software Security Is National Security: Why the U.S. Must Replace Irresponsible Practices with a Culture of Institutionalized Security," discusses systemic issues with the software development landscape and what needs to be done to rectify the problem of negligent coding. But solving the problem won't be easy, given the problems of speed-to-market pressures and the sheer number of IoT devices being produced, the report notes.
[Ed Note - for those Soylentils that are software developers, does your company provide training/mentoring on how to develop secure software?]
(Score: 2) by The Mighty Buzzard on Wednesday May 22 2019, @10:58AM (4 children)
We don't around these here SN parts aside from telling new devs to use the pre-written SQL subs that we already know are done properly instead of rolling their own.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Wednesday May 22 2019, @11:35AM (2 children)
And you're highly motivated volunteers! ... out in the wild, your security concerns will be squashed since they are seen as unproductive costs the moment you're proposing anything beyond whatever has been a legislative requirement. ... imo/ime, it turns out that the more external dependencies client-sites have, the worse their internal attitudes toward security, user-privacy and overall good-practices is.
(Score: 2) by The Mighty Buzzard on Wednesday May 22 2019, @12:12PM
Well, that's all new devs really need to know. Bad code anywhere else is going to be highly obvious if they can even manage any. Admins are another story.
My rights don't end where your fear begins.
(Score: 2) by J053 on Wednesday May 22 2019, @08:35PM
(Score: 3, Insightful) by Nerdfest on Wednesday May 22 2019, @12:02PM
I took a whole series of courses on secure coding and design in 2005 or so, and have been to several training sessions on secure design, etc. It's not that the knowledge isn't out there, or is hard to find, it's the same as the rest of the problems in software these days. The people coding are too inexperienced, too indifferent, and too rushed. Even if people just had a look at the list of top concerns from here [mitre.org], it would have a huge impact. As with everything else in software these days, I doubt things will improve quickly.
(Score: 2) by PiMuNu on Wednesday May 22 2019, @11:44AM (1 child)
> how to develop secure software
No. OTOH I don't work on software that has access to critical equipment (e.g. networked/web stuff).
> Critical Infrastructure Technology, a cybersecurity think tank
Who is paying them? What is their motivation? How are they funded?
(Score: 4, Interesting) by JoeMerchant on Wednesday May 22 2019, @12:26PM
Like the ISO9001/CE mark initiative, etc. these are "best practices" that certain circles believe are worth the up front investment for their long-term benefits. In the case of security, I agree with them - mostly.
Like any ISO certification, there are early points in product development where it is definitely a waste of time and money, for instance: when you don't know whether the business model is viable or not yet. Why increase the cost of R&D by any amount when you don't know if anybody is willing to pay for the product?
Like so many other things, I think that transparency is the answer. If you want to develop the next Facebook and test-market it with zero security certifications, go for it. However, the lack of security certifications should be a clear message to your users about the risks they are taking with your service. Periodic audits, full disclosure of source code to auditors who certify security to standards isn't practiced widely at all today, but it should be. Up-to-date secure signature by certified security auditors on all code, client and cloud side, could be a thing, probably should be for many applications from banking through handling of personal information.
Free market proponents say that the paying customers will decide if security is important to them or not. I say: as a nation, we can't wait for our WalMart shoppers to learn that security has real value that they should choose to pay for.
A proposal: Any entity operating an application for profit which handles valuable data, above a threshold of $1M per year, shall either be certified to (as yet to be agreed upon) security standards by periodic independent auditors, or pay a tax of 1% of the value of the data handled. If the data is not of a financial nature, or the financial value of the data is less than the gross income derived from the application, the value of the data shall be deemed to be the gross income generated by the application.
Don't like taxes? Fine, certify your apps to the applicable security standards. Don't like invasive audits? Fine, pay the tax. You're just a whiner who can't accept the value of security? Fine, don't do business in the country.
🌻🌻 [google.com]
(Score: 2) by VLM on Wednesday May 22 2019, @11:57AM (5 children)
Isn't this way past the peak of the hype cycle? Just saying the problem is likely to decline not increase naturally over time.
Now that we're in the era of notification (post social, post IOT) a bigger problem is people getting distracted for nothing useful at all, getting tired from infinite spam, etc. Human attention is a limited natural resource being squandered, to our detriment.
(Score: 2) by JoeMerchant on Wednesday May 22 2019, @12:55PM (4 children)
Yes, and no.
Um... are people un-installing IoT? The IoT hype has died, but the machine rolls on. Home automation, broadscale data gathering, smart cars, smart doors, smart refrigerators... for better or for worse, these things continue to increase in numbers, while people start to notice them less: which should be a doubling of concern because people forget to question what they are giving away when they "get" a door that they can open with a swipe of their NFC phone.
While I agree, this almost sounds like a pet-peeve of the morning, not an on-topic discussion point. I blame Ajit Patal for all the SPAM calls I've been getting recently - seems like a straw-man they're trying to prop up and slay for political points.
🌻🌻 [google.com]
(Score: 2) by The Mighty Buzzard on Wednesday May 22 2019, @01:03PM (2 children)
Yeah, that's why I do all my own neat little IoT automation bullshit coding. At least then I know whose ass to kick over a stupid bug. And it's not like I'm going to automate anything that could go horribly wrong since I know damned good and well that sooner or later it will do exactly that.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Wednesday May 22 2019, @02:24PM (1 child)
How do you kick your own ass?
(Score: 3, Funny) by The Mighty Buzzard on Wednesday May 22 2019, @02:32PM
With your heel. Unless you're really fat, really muscular, or otherwise physically can't; then you outsource the job.
My rights don't end where your fear begins.
(Score: 2) by VLM on Wednesday May 22 2019, @02:20PM
Yeah I'm having trouble finding evidence of that. Statista claims 11M fridges sold in the USA and a different report implies total smart appliance penetration in the USA after a decade of intense marketing remains a mere 3%, so figure an absolute maximum cap of 1/3 of a million new smart fridges per year. However wikipedia seems to imply we've been suffering under smart fridges in the marketplace for roughly a replacement cycle of cheap "big box" appliances. Also not all smart appliances are fridges. Not too unrealistic that a two decade old marketplace of smart fridges is stagnant around 1 in 1000 people's experience. I think a realistic estimate is a relatively constant half million out there operational and either committing privacy violations for corporate profit and/or being botnet members sniffing passwords.
Its useful to make estimates like this; given they're a failure in the marketplace so far, we can assume they're off the malware radar in a sort of security thru obscurity situation. In the unlikely event they become more popular, the lack of obscurity means they'll become giant security holes once they're popular enough to be a real target.
Its a long way from smart phone market penetration percentages, or indoor plumbing, where you can pretty much assume everyone participates.
Compare to something like Game Of Thrones; somewhere around 29 out of 30 Americans don't watch and don't care. Yet it can be fluffed up in the marketing implied to be the defining national cultural event of our lifetimes. Just because everyone has heard stand up comedians and internet posters joke about internet connected fridges for twenty years doesn't mean people actually own them at a rate which is significant.
(Score: 4, Insightful) by loic on Wednesday May 22 2019, @12:08PM (3 children)
Unsecure code is not a matter of bad coding practices, it is a matter of project management. Good security practices are expensive and nobody wants to pay for it. And it seems like companies are right because so far it is mostly cheaper to pay for security cover-ups than to pay to secure software.
(Score: 2) by JoeMerchant on Wednesday May 22 2019, @12:58PM
So far. From the company perspective. From the customer perspective, events like WannaCry have been hugely expensive, not only the direct cost of the event itself, but the institutional reactions, over-reactions, and missed golf games while executives are dragged into meetings to explain what they're doing to prevent a recurrence.
🌻🌻 [google.com]
(Score: 2) by The Mighty Buzzard on Wednesday May 22 2019, @01:10PM (1 child)
Eh... It's a matter of both, really. If your project management types don't know what to say OMGWTFBBQ over, you're going to get bad code. If your peon types don't know how to not fuck shit up, they're going to fuck shit up. You can automate away some of the responsibility but automation will never fully replace someone who knows what they're doing. Ideally you should do automated testing, have project managers who can spot bullshit a mile away, and peons who get educated by project managers when they write bad code.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Wednesday May 22 2019, @10:58PM
The existence of such managers is hypothetical or a matter of a theoretical artifice, like the zero level energy.
Such managers have a half-life in the order of femto-seconds, no stable state is known for them.
It may be because the very notion of 'manager' requires a level of bullshit to be present; this leads their bullshit detector to self-trigger and bring them in a highly excited state; from which they'll decay spectacularly in managers without bullshit detection capabilities or forever grumbling engineers.
(Score: 0) by Anonymous Coward on Wednesday May 22 2019, @01:44PM (1 child)
The lack of secure coding is a pervasive and serious threat to national security,
Yes ... that sounds like Windows.
(Score: 0) by Anonymous Coward on Wednesday May 22 2019, @04:27PM
I agree but I think Oracle needs to be mentioned too. Those of us who work for the government are painfully aware of both issues.
(Score: 0) by Anonymous Coward on Wednesday May 22 2019, @01:56PM (8 children)
Like safety, security costs money. It is extra effort. It is similar in approach to safety.
A security process would have to be similar to DO-178, the safety process. It would also have to be a holistic software development approach which includes significantly more testing and attention to security details.
It is a specialized set of skills which your average programmer won't have just by wishing it into existence. Your average bonehead programmer can barely write a doubly-linked list properly, let alone an input routine that doesn't suffer from buffer overflows or sql injection. Heck, big ol' Intel can't even make their processors work securely.
In short, it won't happen for the vast majority of software because it is too expensive: no one will pay for it.
(Score: 0) by Anonymous Coward on Wednesday May 22 2019, @02:33PM
Done.
My routines don't suffer from buffer overflows, they enjoy them!
No chance. I certainly won't go to the trouble of implementing SQL for my home-grown poorly documented and poorly debugged data storage routines.
See? My programs are perfectly secure! ;-)
(Score: 2, Insightful) by Rupert Pupnick on Wednesday May 22 2019, @02:38PM (6 children)
Agreed, and waving flags about “threats to national security” are not going to fund the needed development.
Lots of people will have to be inconvenienced or harmed before there are any organized reforms. Taking note of the fact the Boeing CEO still has his job, it seems that a disaster of very large proportions will have to happen before anything changes.
(Score: 2) by All Your Lawn Are Belong To Us on Wednesday May 22 2019, @02:57PM (5 children)
Not sure about that. A "threat to national security" means the government can spend money on it as a priority. And we have a President who is apparently willing to declare things emergencies because he feels like they should be rather than matching objective criteria.
Not that this the government spending money will automatically fix things, either. And not that every single line of code written needs to be secure, either, come to that.
This sig for rent.
(Score: 2, Insightful) by Rupert Pupnick on Wednesday May 22 2019, @05:04PM (1 child)
Yes, I didn’t mean to suggest that money wouldn’t be spent, only that it won’t fund the organizations and businesses that have the expertise to address and fix the problem. Any money will go to a Blue Ribbon Expert Panel on Cybersecurity whose members will be appointed after a Nationwide Search [tm].
(Score: 2) by All Your Lawn Are Belong To Us on Thursday May 23 2019, @03:26PM
Was going to comment last night. Figured you actually might have meant something like that, and well said.
This sig for rent.
(Score: 4, Interesting) by krishnoid on Wednesday May 22 2019, @08:36PM (2 children)
From the green site [slashdot.org], "The reality is that security is not something you can buy; it is something you must get."
(Score: 2) by All Your Lawn Are Belong To Us on Thursday May 23 2019, @03:24PM (1 child)
I'd suggest that security is something that is not an absolute. This is why security departments are often attached to Risk Management divisions in corporations. As one who's worked in the security field I'd note you can't "get security" either, you only may obtain some measure of it.
How one obtains any security without the expenditure of money is beyond me, except in the sense that if one has literally nothing of value to lose and one wants it that way then one does not need security. One can pay an exorbitant amount for guns and guards and locks and cameras and not feel secure, true. But one cannot feel secure without having made an expenditure towards obtaining that which provides that feeling except as above. And in the context of this article (corporate security) one can certainly have objective metrics about the measures one has put in place to attain security, and one can document the failures of those measures to have provided security. That's the point of TFA, isn't it? The lack of attention paid to measures to attain a measure of security in coding are deficient to the point where it is a national-level problem now.
This sig for rent.
(Score: 2) by krishnoid on Friday May 24 2019, @08:11AM
See? This guy gets it.
(Score: 2) by legont on Wednesday May 22 2019, @05:31PM
My place currently spends a lot on security; like in beyond any imagination shitload lot. However, one of the main strategies is "need to know". Hence the overall knowledge about good security dev practices is decreasing, imho. I believe the goal is not to make the place secure, but to protect the business from litigation and government punishment.
This is very similar to guns debate. Does training, using and owning weapons makes a place more secure or less?
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 3, Insightful) by darkfeline on Wednesday May 22 2019, @06:57PM
The first step would be to actually understand how computers work, because otherwise, any attempt to secure software is fundamentally misinformed.
https://www.joelonsoftware.com/2002/11/11/the-law-of-leaky-abstractions/ [joelonsoftware.com]
I would say most programmers simply do not know how computers work. They don't know about logic gates, latches, adders, registers, op codes, operating systems, virtual memory, processes, syscalls, IP, DNS, or application level network protocols. Anecdotally, most web devs cannot even write out an HTTP request (hint: it's a simple plaintext format).
If you don't have developers with a basic education, talking about secure code is a non-starter. It's cargo cult programming.
Join the SDF Public Access UNIX System today!
(Score: 1, Insightful) by Anonymous Coward on Wednesday May 22 2019, @08:33PM
this is sidestepping the main national security issue in regards to code. the fact that the government is buying closed source code with extorted tax dollars instead of funding FOSS code that the people have rights to. Any gov ass hat who doesn't understand that proprietary code is insecure by design has no business telling anyone else how to write software or what they need to buy.
they probably just want to create gov sanctioned certification hoops so only their whoring pals in big business can pass and have their closed source shit bought. IOW, more vendor lock in disguised as security.
(Score: 0) by Anonymous Coward on Thursday May 23 2019, @12:21AM
I can see it coming.. just like doctors, expect expensive insurance and government certifications
and unions, and banning doing stuff on the side..( in effect )