Bill Joy Lays Down the Law on Security
I like Bill Joy.I mean, I don't know him personally, but when he says things in public they tend to be things I agree with. Way back in the 1980's he was talking about open systems when companies like Harris, DEC and IBM were still pushing proprietary, general-purpose machines. In the 1990's he was intricately involved with Java. Everyone has an opinion about Java; lately many geeks are abandoning it for Python or Ruby. To be sure there are some sub-optimal features of the language, but compared to C it's got a lot of things going for it.
But lately he had an opinion piece in Business Week about software security: Software Isn't Complete Unless It's Secure. Now you can set the wayback machine pretty far in the past and find people saying the same thing. But this time it's clear that Software Security is a "big deal." Bill Joy's talking about it. That's Bill "I used to be chief scientist at Sun and now work for a major VC firm" Joy.
Bill's text isn't revolutionary to those of us who have been in the software security world for a while. The message is pretty straight-forward:
- It's too easy to build insecure software
- The consequences of insecure software are increasingly dire, and
- There are financial incentives to delivering incomplete software
Now Bill's not a Software Security Guru, but that's okay. The simple truth of the matter is none of us are really security gurus. Information Security as a discipline is far from being a well-organized field. "Information Security" can be code from such radically different concepts as configuring a firewall, scanning software source code for vulnerabilities, or even changing an organization's business processes. Adding fuel to the fire are a host of consulting companies, each with their own specialization, each redefining your information security problems to match their solution. In general, they're not bad people, they're not trying to cheat you our your company. It's just a case of "when all you've got is a hammer, every problem looks like a nail."
Information Security professionals are frequently called upon to do the impossible: to guarantee that a system is free from security vulnerabilities. Assuming we could even agree what's a "regular" bug and what's a security vulnerability, it's still asking someone to "prove a negative." Security requirements are frequently written in such a way as to demand a certain level of "real security." But systems today can only be built to address vulnerabilities we know about now. With the increase in online commerce, there's plenty of motivation for "bad guys" to make mischief. And they're creating new exploits every day.
From a software perspective, there are plenty of things developers can do. Companies like Cigital and Secure Software provide consulting services for development organizations (ask about "CLASP" or "Risk Management Framework".) Companies like Fortify, Ounce Labs and even Coverity provide tools that can be used to automate software checking for security vulnerabilities. Finally... books like Howard & LeBlanc's Writing Secure Code and Viega and McGraw's Building Secure Software are two good references for developers interested in shoring up their code.
0 Comments:
Post a Comment
<< Home