SoylentNews is people
SoylentNews
The National Institute of Standards and Technology (NIST) published a report last month, Safer, Less Vulnerable Software Is the Goal of New NIST Computer Publication:
We can create software with 100 times fewer vulnerabilities than we do today, according to computer scientists at the National Institute of Standards and Technology (NIST). To get there, they recommend that coders adopt the approaches they have compiled in a new publication.
The 60-page document, NIST Interagency Report (NISTIR) 8151: Dramatically Reducing Software Vulnerabilities, is a collection of the newest strategies gathered from across industry and other sources for reducing bugs in software. While the report is officially a response to a request for methods from the White House's Office of Science and Technology Policy, NIST computer scientist Paul E. Black says its contents will help any organization that seeks to author high-quality, low-defect computer code.
"We want coders to know about it," said Black, one of the publication's coauthors. "We concentrated on including novel ideas that they may not have heard about already."
Black and his NIST colleagues compiled these ideas while working with software assurance experts from many private companies in the computer industry as well as several government agencies that generate a good deal of code, including the Department of Defense and NASA. The resulting document reflects their cumulative input and experience.
The report recommends five main approaches as described in lay terms in this infographic.
The report is available at: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8151.pdf
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @03:47AM
Quality, time tested open source code like OpenSSL?
Here is a piece of code that much of the world had been using for years, it was crap, and devasting bugs were found only after YEARS in this library which was open source for all the world to see. Too bad nobody cared to look.
You say you can always fix open source, but this widely used library was so bad they chucked it and wrote a replacement in LibreSSL.
I am not saying closed source is necessarily better than open. Open or closed can be complete crap, and having programmed for over 20 yrs, I am forced to use a LOT of high profile but CRAP open source. I would say code quality is about the same between open and closed and that writing a replacement library is FREQUENTLY easier than getting the egocentric maintainers of a buggy library to accept a code fix from the outside.
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @05:00AM
Quality, time tested open source code like OpenSSL?
You're going for a nirvana fallacy? Typical. Nothing is perfect. Countless proprietary programs had severe bugs that were discovered and fixed years after they were introduced as well, so it's not as if the same thing doesn't apply there as well. I'd argue the difference is that, with free software (not "open source"), you have the freedom to inspect the source code, the freedom to fix bugs yourself, the freedom to hire others to inspect the source code, the freedom to give the community the altered source code so that everyone can benefit, and so on. With free software, you are not completely dependent upon a particular developer or company, unlike with proprietary software; this gives you more options than just 'Take it or leave it.' While free software is not always perfect, it is oftentimes superior; you might be able to point out a horrible bug in some free software programs, and I could just as easily point to a million similar instances in proprietary software. I'd also argue that it's an ethical imperative for software to respect users' freedoms, so even if some free program is inferior to its proprietary equivalent in a technical sense, the free software is still better because it respects your freedoms.
(Score: 2) by maxwell demon on Tuesday January 03 2017, @07:51AM
With rare exceptions (like DRM), software neither respects nor disrespects users' freedoms. The license does, however.
Note that the very same software can be available under vastly different licenses.
The Tao of math: The numbers you can count are not the real numbers.