SoylentNews is people
SoylentNews
The National Institute of Standards and Technology (NIST) published a report last month, Safer, Less Vulnerable Software Is the Goal of New NIST Computer Publication:
We can create software with 100 times fewer vulnerabilities than we do today, according to computer scientists at the National Institute of Standards and Technology (NIST). To get there, they recommend that coders adopt the approaches they have compiled in a new publication.
The 60-page document, NIST Interagency Report (NISTIR) 8151: Dramatically Reducing Software Vulnerabilities, is a collection of the newest strategies gathered from across industry and other sources for reducing bugs in software. While the report is officially a response to a request for methods from the White House's Office of Science and Technology Policy, NIST computer scientist Paul E. Black says its contents will help any organization that seeks to author high-quality, low-defect computer code.
"We want coders to know about it," said Black, one of the publication's coauthors. "We concentrated on including novel ideas that they may not have heard about already."
Black and his NIST colleagues compiled these ideas while working with software assurance experts from many private companies in the computer industry as well as several government agencies that generate a good deal of code, including the Department of Defense and NASA. The resulting document reflects their cumulative input and experience.
The report recommends five main approaches as described in lay terms in this infographic.
The report is available at: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8151.pdf
(Score: 2) by Runaway1956 on Tuesday January 03 2017, @03:26AM
It's the old refrain. Make it "good enough", and push it out the door. Ease and convenience are primary concerns, security and vulnerability can be addressed some time in the future - maybe. If we get around to it.
The world would be so much better off, if we all relied on Unix-like operating systems. We see the "good enough" business in the Linux world. The difference is, it's all open source, so that when it is NOT "good enough", someone can fix it. In the Windows world, the Apple world, and increasingly in the Android worlds, there is no one to fix the closed source binary globs.
Yes, there really needs to be some kind of standard for security. Watch Microsoft stand in the way of any such efforts though. If Windows is to remain closed source, it would cost Microsoft tons of money to meet any reasonable standards. And, we know damned well that MS won't open source their code. That just ain't happening.
Apple? The walled garden will probably survive the institution of decent standards. Apple, under the hood, is a Unix-like, after all. It would be expensive for Apple to meet stringent standards, but they could do it, and pass the cost on to those who believe in Apple.
Android? The jury is still out on that. Google needs to step up to the plate, and rescue their brain child. Android is being royally screwed, primarily by the telcos that insist on locking down their phones.
Abortion is the number one killed of children in the United States.
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @03:47AM
Quality, time tested open source code like OpenSSL?
Here is a piece of code that much of the world had been using for years, it was crap, and devasting bugs were found only after YEARS in this library which was open source for all the world to see. Too bad nobody cared to look.
You say you can always fix open source, but this widely used library was so bad they chucked it and wrote a replacement in LibreSSL.
I am not saying closed source is necessarily better than open. Open or closed can be complete crap, and having programmed for over 20 yrs, I am forced to use a LOT of high profile but CRAP open source. I would say code quality is about the same between open and closed and that writing a replacement library is FREQUENTLY easier than getting the egocentric maintainers of a buggy library to accept a code fix from the outside.
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @05:00AM
Quality, time tested open source code like OpenSSL?
You're going for a nirvana fallacy? Typical. Nothing is perfect. Countless proprietary programs had severe bugs that were discovered and fixed years after they were introduced as well, so it's not as if the same thing doesn't apply there as well. I'd argue the difference is that, with free software (not "open source"), you have the freedom to inspect the source code, the freedom to fix bugs yourself, the freedom to hire others to inspect the source code, the freedom to give the community the altered source code so that everyone can benefit, and so on. With free software, you are not completely dependent upon a particular developer or company, unlike with proprietary software; this gives you more options than just 'Take it or leave it.' While free software is not always perfect, it is oftentimes superior; you might be able to point out a horrible bug in some free software programs, and I could just as easily point to a million similar instances in proprietary software. I'd also argue that it's an ethical imperative for software to respect users' freedoms, so even if some free program is inferior to its proprietary equivalent in a technical sense, the free software is still better because it respects your freedoms.
(Score: 2) by maxwell demon on Tuesday January 03 2017, @07:51AM
With rare exceptions (like DRM), software neither respects nor disrespects users' freedoms. The license does, however.
Note that the very same software can be available under vastly different licenses.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1) by RS3 on Tuesday January 03 2017, @05:41PM
Is Scott Adams here on SN somewhere? Today's Dilbert http://assets.amuniversal.com/a1fcce70a905013416c3005056a9545d [amuniversal.com]