It may be a decade before software suppliers get the automated tools they need to look for bugs in their code, although there are already mature and widely used tools about, said the former director of cybersecurity for the US Department of Homeland Security.
Creating software assurance tools was one long-term focus of the department's National Cybersecurity Division during his tenure there, said Amit Yoran. He was speaking at the E-Gov Institute Homeland Security and Information Assurance Conference in Washington, DC.
About 95% of software bugs come from 19 "common, well-understood" programming mistakes, Yoran said, and his division pushed for automation tools that comb software code for those mistakes.
"Today's developers often do not have the academic discipline of software engineering and software development and training around what characteristics would create flaws in the program or lead to bugs," he said.
Government research into some such tools is in its infancy, he added.
"This cycle will take years, if not decades, to complete," he said. "We're realistically a decade or longer away from the fruits of these efforts in software assurance."
Yoran, who resigned from his Department of Homeland Security position in September after a year in post, hinted at why he left, but sidestepped a direct question. In the private sector, he had a "real objective" on how to move forward, he said.
"When you move into a strategic and somewhat ill-defined role of 'protect cyberspace', that is a very difficult mission to get your arms around," he said.
"You show up to work on a Monday morning, you are ready to put your fingers to the keyboard, you have got a team of folks working with you - what do you do to secure cyberspace from within the Department of Homeland Security?"
Most internet resources are owned by the private sector, and the US government has been hesitant to pass cybersecurity mandates, noted Yoran, former vice-president of worldwide managed security services at Symantec. With no operational or regulatory control over most of the internet, the goal of securing cyberspace at the department was difficult, he said.
Asked if that lack of authority was a reason for leaving the post, Yoran said his successor will need to "look at go-forward issues" in cybersecurity that the division can best address.
Yoran, however, defended President Bush's National Strategy to Secure Cyberspace, released in February 2003.
The strategy did not advocate regulation, and the White House took the right approach in developing those recommendations by consulting with private industry, Yoran said.
At the Department of Homeland Security "implementing the national strategy is not our job, it's not our responsibility", he said. "It's the nation's job, it's the international technology community's job and responsibility. We can just help."
The national strategy and efforts at the department can help to move cybersecurity efforts beyond the current "cat-and-mouse game" of finding vulnerabilities, assessing whether to patch them, and patching them when the problems become painful to companies, Yoran said.
He predicted a radical transformation in the cybersecurity field within two to four years as more companies and government agencies accept technologies such as web services, remote internet access and RFID.
"In the next two to three years, you will not be able to define where your network begins and ends," Yoran said.
"The paradigms we rely on today for protecting our information - stronger firewalls, more accurate intrusion detection - those types of technologies will be required, but they will be solving an increasingly small percentage of the challenges that are going to be facing us."
Grant Gross writes for IDG News Service