In the past few days I’ve come across of two articles that, according to their titles, seem to imply that the problem of software security is practically solved. In the article ”Software [In]security: Software Security Comes of Age,” Gary McGraw discusses the numbers and stats behind general software security, the increased use of code scanning tools, and how pen testing is the primary tool used for baselining system security.
A few days after reading the McGraw article, I read an article by Elinor Mills of CNET that addressed this topic further. In her article, “Secure software? Experts Say It’s No Longer A Pipedream,” Mills interviews several software security experts that not-so-subtly imply that we are almost to the point of ‘solving’ the software security problem.
While both pieces are well written and cover the topic of software security in detail, I can’t help but feel cautionary when it comes to their titles and their optimism. Both article titles seem to imply that we are on the cusp of solving the problem of software security. (Which, by and large, we’re not.)
When you read the articles in more detail however, it seems that they should have been titled “Software Security Better But Still Has A Long Way to Go.” (Sound familiar?) Because in spite of their cheery titles and overall optimist outlook on software security, both articles note that developing software in a secure manner is still a very difficult task.
And, to be completely honest, I personally feel that creating totally secure software isn’t only difficult, but impossible.
Because no matter how good we get at creating secure software, we’re human. Humans aren’t perfect, and the things we create aren’t perfect. Even if we properly trained every person that uses or develops software, created and enforced clear policies and procedures that would prevent common software security problems, and developed advanced static and dynamic code scanning tools, we are all human and therefore fallible.
We all make mistakes—especially under the time constraints that many vendors put on us to get products and features out the door on time. And while developers are making great improvements when it comes to coding software securely, their primary focus is still on the functionality of a product; security is an afterthought and often not addressed due to the pressures of limited time and resources.
Overall, we have made great strides over the past decade, and these advancements will definitely help lower our risk profiles. However, I feel software security is still in its adolescent phase and that we have much further to go. As eiverson—a commenter on Mills’ CNET article—noted, “[w]e’re making progress on treating cancer too. But people die from it every day. It’ll take years for information security practices for software development to give us peace of mind.”
###
Have you heard? NovaInfosecPortal has partnered with SANS to get you the training you need while helping NovaInfosecPortal at the same time. If you haven’t already, take a moment to visit our Help Us Help You page to learn about additional ways that you can help us help you.
No related posts.
