LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 2/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
blogs tab
Is Microsoft eyeing Office subscription pricing?
Microsoft may be preparing to offer a new Office pricing option called "union," which charges the same for cloud as on-premises.
02/01/2010 09:38 AM EST

Facebook rewrites PHP runtime
Facebook is about to open source its own PHP runtime, written from scratch for speed.
01/30/2010 08:53 PM EST

There WILL be a JavaOne this year
JavaOne will happen in 2010, as a co-located event with Oracle's OpenWorld, on Sept. 19-23 in San Francisco.
01/27/2010 01:02 PM EST

 

Events calendar tab
Macworld 2010
2/9/2010 to 2/13/2010
San Francisco
IDG World Expo

SPTechCon 2010
2/10/2010 to 2/12/2010
San Francisco
BZ Media

PyCon 2010 (Python Conf.)
2/17/2010 to 2/25/2010
Atlanta
Python Software Foundation

Southern Calif. Linux Expo
2/19/2010 to 2/20/2010
Los Angeles
SCALE

IBM Pulse
2/21/2010 to 2/24/2010
Las Vegas
IBM


 
print Printable version 
Most Read Latest News Blog Resources
Facebook brings HipHop to PHP
HipHop compiles PHP to speed up the Web layer at world's most popular social networking si...

Adobe moves LiveCycle application platform to the cloud
Release gives developers just what they need to create targeted business process-oriented ...

Oracle acquires AmberPoint
Today's merger will probably affect most of AmberPoint's existing partnerships with other ...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

Guest View: IT security: apathy or ignorance?


By David N. Kleidermacher
April 1, 2009 — 
The world has a serious problem when it comes to IT security. In two words: It sucks. Critical IT systems, including national infrastructure, are built on software that is known to be hopelessly filled with vulnerabilities. We spend countless billions trying to patch and filter our way to security, but the hackers are always a step ahead. There are so many holes, it is downright child’s play to find a way in.

The daily reports of hacked credit cards are almost comical. However, a concerted attack by determined, well-funded, technologically sophisticated adversaries to take down our power grid or air-traffic control system wouldn’t be funny at all. As President Obama recently stated, “It's no secret that terrorists could use our computer networks to deal us a crippling blow.”

Why aren’t people more upset about (the lack of) cyber security? Sure, the economy is in shambles, but it has become clear from TARP and the stimulus bill that the best we can do is trial and error and patiently wait for the illness to run its course.

However, when it comes to computer security, there is a known cure for our cancer. Companies can create secure software by following a process that prevents vulnerabilities. It is done all the time in aircraft and in certain military and intelligence systems. But the enterprise software world chooses not to do it this way. There simply hasn’t been a strong enough incentive to do the right thing.

The dilemma is exacerbated by the common practice, from otherwise reputable companies, of making misleading statements about the security of their products. A naïve public puts its crown jewels under the control of software and systems that can’t even keep a smart teenager out, let alone a nation state that puts its best Ph.D.s on the problem.

In 2008, VMware announced its hypervisor’s certification to Common Criteria EAL 4+. The announcement included the claim of suitability for “sensitive, government computing environments that demand the strictest security.” Three days later, severe vulnerabilities in these products were posted to the U.S. Computer Emergency Readiness Team’s National Vulnerability Database. Among other pitfalls, the vulnerabilities “allow guest operating system users to execute arbitrary code.”

Doesn’t this equivocation make people angry? Are we so desensitized to insecure software that no one thought to write an op-ed piece taking VMware to task on this EAL 4+ drivel? The media reports daily about the hacks, intrusions and data losses, but software vendors are rarely called out.

When a gaping security hole was recently discovered in Google’s Android software, the only person to cry foul was an engineer. Ed Burnette, writing a column titled “Worst. Bug. Ever.” on ZDNet, reports that Google was almost flippant: “The reason why we consider it a large security issue is because root access on the device breaks our application sandbox."

Another example is General Dynamics’ Trusted Virtual Environment (TVE), a platform that uses SELinux as its “trusted computing base,” and makes claims of “high robustness” and a “quantum leap in the way military and government security levels are accessed.” Yet TVE has not achieved a high robustness certification. Numerous vulnerabilities in SELinux have been found (check the National Vulnerability Database). According to the NSA, the SELinux effort has included “no work focused upon increasing the assurance of Linux itself,” and SELinux is “very unlikely by itself to meet any interesting definition of secure system.”

Even the big-name security vendors are guilty. On the front page of McAfee’s website is the promise of “uncompromised protection,” along with “McAfee Network Security Platform Aces Coveted IPS Test.”

The National Vulnerability Database has posted approximately 60 flaws in McAfee software, including one that could be exploited using any type of network traffic scanned by a McAfee product. What is not mentioned on McAfee’s website is the sad reality that anti-malware vendors are fighting a battle that cannot be won.

Information Security Magazine recently performed a test of 8,114 malware specimens against seven different anti-malware vendor products. The best performing product was unable to detect 8%, or approximately 640, of the specimens. If a black hatter’s favorite Trojan is countered, he just writes a new one. As Steve Hanna, co-chair of the Trusted Computing Group, recently articulated: “We cannot patch our way to a solution to our security problems.”

These examples are just the tip of the iceberg. Modern security claims are like the leeches, charms and humors of medieval medicine. But can IT managers and consumers alike raise the ignorance of Middle Age patients? Or is it apathy that squelches a cry for reform?

Don’t get me wrong: I have a tremendous respect for Google, Microsoft, VMware and others. They have advanced society with astounding capabilities and functionality. But these companies have let us down when it comes to security.

To create software that is secure, a high-robustness development process must be followed from the start. High robustness implies a level of rigor in design, testing and formal analysis that is alien to enterprise software houses. High robustness also requires a steadfast application of the core security engineering principles of least privilege, complexity minimization, and componentization.

People are demanding a solution to the economic mess. Why aren’t they demanding a solution to the security mess? Now that there is proof that it is practical to create and deploy certified high-robustness solutions, it’s time to hold software providers to a higher standard.

David Kleidermacher is CTO of Green Hills Software, which sells embedded operating systems and development tools.


Related Search Term(s): security


Share this link: http://www.sdtimes.com/link/33368
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading