David Kleidermacher posted an excellent article on SDTimes.
IT security: apathy or ignorance?
To quote:
The world has a serious problem when it comes to IT security. In two words: It sucks. Critical IT systems, including national infrastructure, are built on software that is known to be hopelessly filled with vulnerabilities. We spend countless billions trying to patch and filter our way to security, but the hackers are always a step ahead. There are so many holes, it is downright child’s play to find a way in.
The daily reports of hacked credit cards are almost comical. However, a concerted attack by determined, well-funded, technologically sophisticated adversaries to take down our power grid or air-traffic control system wouldn’t be funny at all. As President Obama recently stated, “It's no secret that terrorists could use our computer networks to deal us a crippling blow.”
Why aren’t people more upset about (the lack of) cyber security? Sure, the economy is in shambles, but it has become clear from TARP and the stimulus bill that the best we can do is trial and error and patiently wait for the illness to run its course.
However, when it comes to computer security, there is a known cure for our cancer. Companies can create secure software by following a process that prevents vulnerabilities. It is done all the time in aircraft and in certain military and intelligence systems. But the enterprise software world chooses not to do it this way. There simply hasn’t been a strong enough incentive to do the right thing.
David is singing my tune. This is just his intro however....the opening salvo of a magnificent fusillade. David goes on to state:
The dilemma is exacerbated by the common practice, from otherwise reputable companies, of making misleading statements about the security of their products. A naïve public puts its crown jewels under the control of software and systems that can’t even keep a smart teenager out, let alone a nation state that puts its best Ph.D.s on the problem...
In 2008, VMware announced its hypervisor’s certification to Common Criteria EAL 4+. The announcement included the claim of suitability for “sensitive, government computing environments that demand the strictest security.” Three days later, severe vulnerabilities in these products were posted to the U.S. Computer Emergency Readiness Team’s National Vulnerability Database. Among other pitfalls, the vulnerabilities “allow guest operating system users to execute arbitrary code.”
When a gaping security hole was recently discovered in Google’s Android software, the only person to cry foul was an engineer. Ed Burnette, writing a column titled “Worst. Bug. Ever.” on ZDNet, reports that Google was almost flippant: “The reason why we consider it a large security issue is because root access on the device breaks our application sandbox."
Another example is General Dynamics’ Trusted Virtual Environment (TVE), a platform that uses SELinux as its “trusted computing base,” and makes claims of “high robustness” and a “quantum leap in the way military and government security levels are accessed.” Yet TVE has not achieved a high robustness certification. Numerous vulnerabilities in SELinux have been found (check the National Vulnerability Database). According to the NSA, the SELinux effort has included “no work focused upon increasing the assurance of Linux itself,” and SELinux is “very unlikely by itself to meet any interesting definition of secure system.”
In the end, David suggests we must hold software manufacturers to a higher standard. I wholeheartedly agree...I just hope this article wasn't an April's fools.
Common Criteria provides a different set of criteria for security. The criteria are still useful, but in a wholly separate way, as it's an entirely different model of managing roles, abilities, and data access. I know this is old news to you, but I suspect most readers of SDTimes don't understand that.
The question of software security applies across all of this, of course, and is still one of the "wicked problems" affecting our entire information infrastructure.
Posted by: Kyle Maxwell | April 01, 2009 at 08:09 AM