David Lacey draws attention to the Cyber Security KTN Secure Software Special Interest Group on his blog. I’m totally behind any initiative that sets out to improve software security and I hope that this new group will also make reference to existing established and reputable resources such as the OWASP.
The only point I want to make is that the first deliverable of this new group is going to be a white paper. Now, call me an old cynic but I’m not sure how useful another white paper on where we are all going wrong is going to be. We can all refer to numerous references that describe what the problems are and what needs to be done to produce secure software and I’m sure that the Secure Software Development SIG will find an interesting way to write up the messages but, come on, we don’t really need another white paper.
Maybe the place to start is by reviewing the tools being used for development and making a point at how easy they have made it to produce complex products without there needing to be many of the old-school development skills in place. To give you an example of what I mean I was recently chatting with a senior software architect who works within my own organisation: years ago he worked on Russian satillite navigation systems and was describing to me how his team would be required to write working code without having either a compiler or a system to test the code on! He went on to discuss his incredularity at the developers he now works with who need to compile their code every few lines to check that it works. It’s like modern aircraft: you can sit in the cockpit and have the plane fly without needing to understand anything about aerodynamics or being a pilot: there’s a danger that the skills required to remain in control if the auto-pilot fails are being lost.
So, one of the causes of the problems we have with insecure software is the tools that have made it easy to do a good job badly. The products we are producing are increasingly complex but how many developers making them have the deep understanding of architecture and platforms and how information behaves when it’s being passed across the network. I hear developers talking about protocols but then they can’t explain how those protocols work. They talk about encryption but often don’t even know what algorithms they themselvs have implemented, and sometimes not even how.
So, back to the Cyber Security KTN Secure Software Special Interest Group: don’t spend too long on another white paper – what would be good to see is some plan of action (perhaps working with the vendors of the common development platforms?) that wil go some way towards tackling problems at the root.
To round off, there’s a good blog from Michael Howard of Microsoft on the subject of secure software here.