Software vendors need to create comprehensive security education programs for their programmers in order to deliver more security
software products to their customers, an Oracle Corp. security expert said Thursday.
Developer education and pressure from large buyers such as the U.S. government are two key ingredients in better software
security, said Adam Jacobs, Oracle's principal product manager, during a presentation at the InfraGard National Conference
in Washington, D.C. Jacobs' presentation was titled, "Why is commercial software so vulnerable (and how can we fix it)?"
During the InfraGard event, which focused both on cyber and physical security, Jacobs and other cybersecurity experts gave
various reasons for the common complaint that commercial, off-the-shelf software is often riddled with security holes. Jacobs
seemed to partly agree with David Aucsmith, chief technology officer at Microsoft Corp.'s Security Business & Technology Unit,
who said at InfraGard Wednesday that software vendors often ignored security functionality in order to make their products
easier to use, at least until recent years.
Aucsmith used the example of the Windows 95 operating system, which had "no security" as a design goal because users wanted
an easy-to-use OS, he said. "We would get points taken away by the analysts and in the press if [software] was hard to configure,"
he added.
Jacobs agreed that some software was designed poorly, but most security vulnerabilities now come from coding errors -- what
he called implementation errors -- not in software designed to be insecure, he said. While more software vendors began focusing
on designing more secure software in recent years, security bugs still exist, he added.
"The number of fixes that are coming out to you each month isn't going down, it's going up," Jacobs said. "Your design on
paper can be brilliant ... and you hand it off to the developer and that means nothing when it comes to implementation flaws."
The problem is that many software developers don't understand mistakes that cause buffer overflows or SQL injections, Jacobs
said. In the past, Jacobs has encountered Oracle developers who don't understand SQL injections although that's a common vulnerability
for the databases that are part of Oracle's core product line. Part of the problem, Jacobs said, is that many universities
teach computer science theory without teaching much about the practice of programming.
Adding to the problem is that developers are often rewarded for meeting deadlines, but not for writing secure code, Jacobs
added. Software vendors need to find better ways to reward slower coders who turn in cleaner code instead of giving bonuses
to programmers who turn in buggy code on time, he said. After the fast coder gets his performance bonus, "it doesn't really
matter when, six months later, 15 bugs come in."
To combat coding errors, Oracle has created its own in-house security training program, a one-day course including quizzes
that all employees dealing with programming must take. Oracle received a lot of complaints from employees when the program
first started, but reaction has since been positive, with some developers returning to coding projects during a break in the
course to fix errors they learned about, Jacobs said.
"We can't expect every developer to be a security expert," he said. "What we do need is for every developer to understand
security fundamentals."
In addition to other programming challenges, it's difficult for software vendors to hold individual programmers responsible
for single errors in code, Jacobs said. In the past, a vendor who identified a programmer who created a buffer overflow vulnerability
could get the response, "I didn't know about that problem," he said.
But the Oracle training class adds a level of personal responsibility, he added. "You can't come back to me now and say, 'I
didn't know about SQL injections,'" he said. "I can say, 'Yes, you do, you took my class.'"
In addition to education programs, numerous automated tools exist to check code against common errors, Jacobs noted. But the
tools aren't perfect and can't replace developer security education, he said.
Jacobs also urged large buyers of technology to insist on more secure software. In some cases, buyers reward cheap prices
over security, however, he said.
"Oracle and any other software company isn't going to invest the time and money to complete a product ... that may be more
secure, if you're going to go to [another vendor's software] and say it's available faster and it's cheaper," he said.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
