BSIMM: Confessions of a Software Security Alchemist(informIT)

[gem at cigital.com (Gary McGraw)]

Hi Kevin,

Any discipline with the word "science" in its name probably isn't.  I have a dual PhD in two of those fields (computer 
science and cognitive science), so I ought to know.

I mostly agree with your assessment of many industry coders and IT people (most of whom do NOT have a background in 
computer science).  When someone is asked to whip up a solution to an NP-Hard problem and doesn't know not to work on 
that (or to approach it heuristically) , we have some real issues.  There are a boatload of developers who have no 
computer science theory under their belts, and that is a real problem.  And don't even get me started on security 
people!  Fortunately all is not lost and there are many great people sharing knowledge as widely as possible too.

I can assure you that during my term as one of the Governors of the Computer Society (the largest IEEE society), we 
spent plenty of cycles fretting about how to reverse the trend you noted.  Not much progress was made.  Note that 
Silver Bullet often interviews scientists, and is co-sponsored by IEEE Security & Privacy magazine.

I am optimistic that we can keep things on an even scientific footing in software security if we proceed carefully and 
don't jump on shiny bandwagons as they careen over the cliff.  The time for science is upon us.

gem

http://www.cigital.com/~gem


On 3/18/09 6:14 PM, "Wall, Kevin" <Kevin.Wall at qwest.com> wrote:

Gary McGraw wrote:

> We had a great time writing this one.  Here is my favorite
> paragraph (in the science versus alchemy vein):
> "Both early phases of software security made use of any sort
> of argument or 'evidence' to bolster the software security
> message, and that was fine given the starting point. We had
> lots of examples, plenty of good intuition, and the best of
> intentions. But now the time has come to put away the bug
> parade boogeyman, the top 25 tea leaves, black box web app
> goat sacrifice, and the occult reading of pen testing
> entrails. The time for science is upon us."

I might agree with your quote of "The time for science is upon us." if
it were not for the fact that the rest of computer science / engineeering
is far ahead of computer security (IMO), and they are *still* not anywhere
near real "science", at least as practiced as a whole. (There probably are
pockets here and there.) For the most part, based on what I see in industry,
I'm not even sure we have reached the alchemy stage! (Compare where most
organizations are still at with respect to SEI's CMM. The average is probably
Level 2. Most organizations no longer even think of CMM as relevant.)

My observation is that very few people in the IT profession--outside
of academia at least--belong to neither ACM or IEEE-CS or any other
professional organization that might challenge them. I question, on
a professional level, how much we are going to progress as an industry
when most in this profession seem to think that they do not need anything
beyond the "Learn X in 24 Hours" type pablum. (Those are fine as far
as they go, but if you think that's all that's required to make you
proficient in X, you have surely missed the boat.)

Please note, however, that I do not think this mentality is limited
to those in the IT / CS professions. Rather, it is a pandemic of this age.

Anyhow, I'll shut up now, since this will surely take us OT if I persist.

-kevin
---
Kevin W. Wall           Qwest Information Technology, Inc.
Kevin.Wall at qwest.com    Phone: 614.215.4788
"It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration"
    - Edsger Dijkstra, How do we tell truths that matter?
      http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html