NSA, DHS, Industry Gang Up on Dangerous Software Errors

Posted by: Stephen Wildstrom on January 12, 2009

Computer security experts have warned for years that the endless cycle of software flaws and exploits will only be broken when we create incentives for software authors and publishers to get it right. On Jan. 12, the industry took a potentially important step toward that goal when a broad coalition of companies, government agencies, academics, and advocacy groups launched a program to assure than software is free of 25 common errors that lead to the bulk of security problems.

The key to making the program effective is that it goes well beyond recommending best practices. Software buyers, particularly governments and large corporations are being urged to demand that vendors certify that code they sell is free of these 25 errors, and there’s nothing like potential legal liability to get a company’s attention. In addition, colleges are pledging to train students in writing software and employers can use the guidelines to assess the skills of the programmers they hire.

The program was developed jointly by the SANS Institute and MITRE, with backing from the National Security Agency and the National Cyber Security Division of the Homeland Security Dept.

In one sense the list of the Top 25 errors this program is designed to fight is a little sad, because the problems are the same ones that have created security liabilities for decades. The first known Internet worm, created by then Cornell graduate student (and now MIT professor) Robert Tappan Morris in 1988, exploited a weakness known as a buffer overflow, a way to get a computer to execute code disguised as data. Two decades later, buffer overflows and other closely related errors continue to be major security problems and have earned a prominent place on the Top 25. Other common security problems addressed on the list, Web site design problems that allow hidden code on a seemingly benign pages to invisibly redirect you to a malicious site, improper use of encryption that can lead to the loss of critical data, and good old-fashioned calculation errors that can wreak havoc on results.

One encouraging thing about the Top 25 is that such organizations as Microsoft, Apple, and Oracle are aboard, a lonmg with a lengthy list of security vendors. Still, the effort is not going to lead to much unless buyers, especially governments with their massive clout, get serious about buying only security-certified software.

TrackBack URL for this entry: http://blogs.businessweek.com/mt/mt-tb.cgi/

Reader Comments

dave

January 13, 2009 05:05 AM

Are there not programs as schools like MIT and Stanford that deal with these issues

Lawrence

January 13, 2009 09:37 AM

Reviewed the list, some of them are pretty common, and often overlooked. The list would form a nice little checklist before making a website public.

Ken van Wyk

January 13, 2009 09:43 AM

Many schools (including those) have specialized programs, that's not the problem. The problem is that _every_ programmer doesn't learn to avoid these mistakes in his/her code. Learning from these mistakes must be in every curriculum, not just the specialized security ones.

Bob

January 13, 2009 11:09 AM

I agree with Ken Van Wyk on the main issue is that the programmers don't avoid these mistakes - additionally, Management doesn't insist on checking vs. shipment. Tools and techniques are available - but not used.
As an example...pointing to this article itself: There are spelling checkers and grammar checkers available. But they obviously weren't used (1st paragraph: "a program to assure than software"...and the word: "lonmg".).

slab

January 13, 2009 11:35 AM

I've always found it curious that the Federal Gov't encourages the use of certain encryption algorithms. Not long ago, they tried to throw people in jail and prosecute them for even using encryption. Now they want to be your friend and tell you which encryption algorithms are "good" and which are "bad". How many corporate bigshots don't have a clue what they're talking about regarding encryption - they only know that if they repeat certain things in public, they'll sound like they know what they're talking about and likely receive applause for it. That's what a lot of these recommendations are, just the same people over and over tapping their toes altogether. Many of them couldn't design their way out of a wet paper bag, but their walls are covered with credentials. It's just a game and no one knows any better, least of all...BusinessWeek.

Biker Y

January 13, 2009 12:37 PM

The real problem is programmers do not program anymore. They blackbox. Take code from another programmer (without understanding it) and implement it. C,C++, object oriented design all lead to these "shortcuts" that lead to disaster. All you really need to to is verify and then mini-max your code. Small tight code, doing the job faster. Oh, but wait... Who the heck counts cycles anymore... Or memory useage...
Bad programming skills leads to bad programs...

Steve Wildstrom

January 13, 2009 12:40 PM

@Slab--The recommendations are about good programming practices, not encryption.

But while we are on the subject, encryption is an area where nearly everyone involved believes the federal government has played a constructive role in recent years. NIST recommends (and requires for "sensitive but unclassified" government communications) use of the Advanced Encryption Standard, which was selected as a replacement for the deprecated Data Encryption Standard in what is generally regarded as an exemplary open competition. Except for a handful of countries under U.S. export sanctions, software using AES is freely exportable without special export licenses.

Slab

January 13, 2009 01:10 PM

@Steve Wildstrom - It IS about encryption, among other issues. The article revolves around a list of 25 common issues cited by these authorities. And encryption is involved in several of these. Did you read them?
No? Besides that, you don't seem to even understand MY point, you just wanted to drop something about AES.

Slab

January 13, 2009 01:14 PM

Instead of a cut and paste from some wiki-whocares, I recommend you read the article from top to bottom, and also the material it cites. Does the article even say anything about obfuscation, or only that programmers as a group are careless and stupid? Then don't forget to drop some ten cent comment about how YOU know that too.

Strategery

January 13, 2009 07:22 PM

This article is weak: Microsoft is to blame for most security problems. When a software company has a near monopoly, there is no incentive to write good software. Another problem: bloated code. Software used to be concise, but improvements in hardware have led to cut-n-paste coding. The government opposed encryption because it was theoretically impossible to crack. Now, I suspect one of three things: the government has a key to decode the encrypted data, the government has access to the data via a backdoor program to retrieve it before encryption and/or they have classified supercomputers that are able to decrypt data.

carl

January 15, 2009 01:35 AM

Having looked at the article above, the comments and the link to SANS Institute, I thought I would comment purely from an end-user perspective.
Why do incentives need to be created now? whats been going on with software progamming/coding/encryption etc up to this point? It seems that some of these issues -to my mind- are a result of a lack of pride, not just for the work in writing software, but also for those using it.
Don't get me wrong I don't wish to imply that I am tarring everyone with the same brush, as I am confident that there are people who do their work to an outstanding degree.However this article opens up by saying that experts??? have been warning for years!!! on these flaws and their impact. In addition to the 25 errors listed, I found that when looked further down the page it then tells me that there are an additional 700 issues, that is blatantly taking the piss. Why has the situation got to this point? is it mainly down to the monopolisation of microsoft as the comment from Strategry says? or other variables like poorly taught techniques. I just find it hard to believe the industry has let things get this far without these points being dealt with....
Even though my punctuation may not be top notch, Mr Wildstrom, I agree with Bobs comment about using a spell and grammar check, especially when writing an article on errors.
Also why didn't the leading software/IT companies fund this study?

Bill Caelli

January 15, 2009 02:11 AM

STOP!
Why are DHS/SANS/Mitre concentrating on essentially the application layer programming professional.
For example, buffer overflow problems were clearly addressed as far back as 1982 in the Intel iAPX-286 segmentation architecture, and even earlier on mainframe/mini systems, and so on. A properly structures compiler, e.g. Intel's PL/M language processor, etc. eliminates this problem by proper allocation and use of the underlying hardware.
Excessive privilege control was addressed as far back as B2 "Xenix", and others with mandatory access control, now FMAC or Flexible Mandatory Access Control, where all internet connected computer operating systems should be NOW in a totally exposed global web (discretionary control or DAC is totally obsolete in this environment.)
This list seems to confuse application layer programming with the underlying reponsibility of the IT industry itself, i.e. Intel, Microsoft, and others through the requirement to offer base operating system software, component libraries, language processors/compilers/interpreters, "middleware" etc. that clearly meets the programming security needs of today.
After all, why did NSA even bother with SELinux development?
I expected a much better and considered approach from such a respected organisation as Mitre.... let us know what the responsibility of the likes of Microsoft/Intel/SUN really are to make secure application software possible FIRST, then align that with the needs of the applications programmer.

Post a comment

 

About

BusinessWeek writers Peter Burrows, Cliff Edwards, Olga Kharif, Aaron Ricadela, Douglas MacMillan, and Spencer Ante dig behind the headlines to analyze what’s really happening throughout the world of technology. One of the first mainstream media tech blogs, Tech Beat covers everything from tech bellwethers like Apple, Google, and Intel and emerging new leaders such as Facebook to new technologies, trends, and controversies.

Categories

 

BW Mall - Sponsored Links

Buy a link now!