Secure Coding mailing list archives
RE: Report seeks more secure world for software development
From: "Gary McGraw" <gem () cigital com>
Date: Fri, 02 Apr 2004 19:24:59 +0100
Hi all, Here's a behind the scenes view of what's going down with the DHS report. Remember, this is only my point of view here. The report has pretty serious design by committee problems, which is not surprising since it was designed by, well, committee. Reaction is bound to be mixed. My opinion is that there is some really good stuff in here (see URL below for a pointer to the process and best practices section) and there are some parts that are vacuuous and even silly. Here's why that happened. The report was divided into four sections and put together very quickly with lots of people involved: education, incentives, patch management, and process/best practices. ** Education was chaired by Fred Cohen. The major problem is that Fred is not really an academic. Looks like some more CS professors should have been in the loop on this part. Felten and I discussed this yesterday, and he is not very happy with the results since they don't take into account real academic structures or relaities. ** Incentives. I don't know who the Incentives was chaired by. Allan Paller hates this part and had been taking pot shots at the entire effort based on his reaction to this. I spoke with him yesterday, and basically, Allan believes that the taskforce seems to be using the good technology people to "game" the government so they end up doing nothing. He says our good technical stuff is being used as a tool and that they are packaging our quality stuff in a mostly innocuous and thus useless package. Instead of the incentives in the report as they stand now (a section I have not paid much attention to I must confess), Allan thinks the government should do 2 things: 1) use its buying power to FORCE the use of the best practices we came up with by buying only from those who follow them in a demonstratable fashion (we would need to make a roadmap for evolutionary adoption of this stuff) 2) put in place anti-trust exemptions to allow critical infrastructure industries to cooperate in order to do the same thing we want the feds to do in 1 ** Patch Management, which most of you know I think is complete and utter hooey, was forced in by Kathy Allen of BITS (who later resigned from the study). In my opinion, this section should be deleted in entirety. This is a classic "operations" approach to the software problem that simply will not work. ** The Process/best practices tech stuff was chaired by Sam Redwine who did a great job. I was intimately involved with this piece and am biased in its favor. Us technical people think our part of the report report (Processes to Produce Secure Software) is actually good. Not perfect, mind you. But there is so much room for improvement in building software properly, that even this amount of info is like water in the desert. We have for this reason pulled it out and surfaced it alone in the technical community, divorced from the other stuff. http://www.cigital.com/papers/download/secure_software_process.pdf All in all, about $1M hours of people time went into this effort. Amazing. This is all part of the shift we need to make in security from the operations guys (network admin, etc) to the builders... And you're a key part of it. gem ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ----------------------------------------------------------------------------
Current thread:
- Report seeks more secure world for software development Greenarrow 1 (Apr 02)
- Re: Report seeks more secure world for software development Jared W. Robinson (Apr 02)
- <Possible follow-ups>
- RE: Report seeks more secure world for software development Gary McGraw (Apr 02)