In my last InfoSec related blog, this discussion focusses on one of the key strands over the past couple of years, namely "secure by design". The Whitfield Diffie lecture I have previously blogged on - given that he lectures as a professor in computing - included a great insight into the challenges we need to be mindful of in this desire. Read more....
"We write lousy code; it has bugs in it and worms find they bugs - because of unsupervised array references; buffer overflows etc...".... to paraphrase hopefully not too unfairly but Diffie was pretty excitable at this point in his "Hall of Fame" session. He stated that, much like any good University lecturer, he had rambled through his history of the "irresistible concepts" and once he had reached the relevant, recent, exam worthy stuff, he'd sped up so much that we might miss the most salient points!
The bottom line, as far as WD was concerned, is that it can be an expensive exercise to document (write) and support (maintain) quality code as you need appropriately qualified people to do so. Which is not to say that the industry hasn't been seeking to achieve this for at least 40 years, apparently.... Certainly I know that the BCS Security Forum have previously attempted to make inroads into the University curriculum to ensure that building in security thinking into computer science degrees is taking place from as early a stage as is possible.
Simplistically, it is already possible to design isolated hardware with no instructions (code) to do anything else - and thus a virus cannot persuade the architecture to do bad things. Writing in C, you chase bad pointers whereas in Java this has now been taken care of. Exercising the stack can be both a positive and a negative. There are clearly lots of considerations in this area which need to be driven out in "secure by design" discussions to really "get under the skin" of it and make any headway on change.
That said, it struck me that many of the known vulnerabilities are adequately described in available resources and it is important that IT professionals know where to find the information and have the right skills in place to ensure that they can implement the necessary change(s) as and when required.
Ultimately, this is a personnel management challenge not just an IT management one - as you need to consider the number of programming languages you want to support in your infrastructure. The more we ask for (in terms of languages), the more we have to manage and maintain - and keep skills up to date. This may be a luxury that cannot be supported given the current economic climate and this will have an interesting impact in the short to medium term - on secure architectural design, amongst other things.
Andrea
About the author
Andrea is an experienced information compliance evangelist / business consultant and project manager with expertise in several disciplines: information security management (ISO27001 - ISMS, strategy and planning, policies and procedures development and implementation etc.); Information Rights Legislation/Regulation and Standards (including Data Protection and Freedom of Information) and Information and Records Management.
Comments (3)
Leave CommentAs someone with an interest in the security of information (not just IT systems) and someone who in the dim and very distant past programmed in Algol and similar languages, I have searched many times for a good training course for new and developing programmers to help them to understand the coding weaknesses and how to avoid them. Several clients of mine have sought to deal with this issue in a variety of ways, better peer review, better end testing, improved Configuration Management, the need for stress and volume testing at all stages not just at the end and so on. The basic requirement though is still to help those actually cutting code to do so securely in the first place. Doesn't BCS have a role in identifying and promoting such training?
Report Comment
Many companies (I work for one) provide application secuirty trainings on different levels. All you have to do is to shop around.
Report Comment
Yes to highlighting the training...although check out the infosecurityadvisor.com amongst others. Perhaps the new "improved" BCS will do all this better sign posting...!
Report Comment
Post a comment