TB (Tony Bradley): Programmers need to be aware of how software is exploited and learn to write more secure code. Books like Exploiting Software or Crackproof Your Software are great resources, but do you think the books are enough?
GM (Gary McGraw): I am not familiar with the Crackproof book. However, your question is a good one. Books like Exploiting Software are really best used as awareness tools. The thing is, awareness alone won?t solve the problem. The activity of building secure software requires interjecting security best practices directly into the software development lifecycle. This is something that takes both expertise and experience. Also it is not something that is going to happen overnight.
We have made great progress in the 4 years since Building Secure Software was released. When Viega and I first wrote that book, the software security problem was brand new, and the idea that software was the root cause seemed novel. We were evangelists, out to save the world. Now everybody seems to understand that software is the problem. But we still need to get more serious about what we?re up against. Some of the ?application security? stuff that vendors are selling is downright silly. That?s one reason why Hoglund and I wrote Exploiting Software.
What we really need to do to solve this problem is two things: 1) put pressure on software vendors to step up and create more secure software (not security software, mind you, but secure software!), and 2) begin teaching developers in college how to write secure code. Developers are?to this day?surprised that they need to worry about security.
TB (Tony Bradley): Is there potentially a market for either software tools or a service to be provided that can examine code and validate or certify it as secure?
GM (Gary McGraw): Of course. Cigital has been providing software security services since 1997. There is money to be made in this field. There is plenty of bad software out there for us to fix!
Tools for eradicating bugs like the buffer overflow by examining source code are also finally coming of age. Cigital produced the first tool in the world to do security scanning (called ITS4) back in 1999. Now a number of startups are taking the next generation of that technology to a wider market. I am a big fan of Fortify Software?s excellent toolset, which is based on Cigital-designed technology. Greg?s company hbgary distributes a binary version of this idea, scanning executables for security issues.
One of the remaining problems is that at least half of all software security defects are caused by design-level flaws that cannot be discovered using simple code scanners (which concentrate on finding bugs). That means somebody needs to do architectural risk analysis. Cigital provides these kinds of knowledge-intensive services for our customers.
It?s a bit premature to talk about certification for security. This is a great goal to try to attain, but we need to do more groundwork first on figuring out how to make software secure.
TB (Tony Bradley): Should software developers and program vendors be held liable for damage arising from producing insecure code? How would you define a reasonable threshold of due diligence in validating secure code?
GM (Gary McGraw): Not unless and until we begin educating developers so that they know they are responsible for some of these issues. Most developers and architects are excited to learn about software security issues. However, most developers and architects still have no idea that they need to worry about security until they are explicitly told. We need to change the way we teach people to code.
As for the second part of your question, there is not really any way to declare any given piece of software secure enough for all purposes. Security is risk management, you see?and there is no such thing as 100% security! In order to do the right thing from a software security perspective, a clear understanding of the purpose (business or mission) of the software is an essential first step. Given some particular context, it may be that completely insecure software is good enough (but you didn?t hear that from me)!
In the end, every producer of software needs to at least worry about software security these days. And every consumer of software should demand more secure software of their vendors.
previous post