RE: Report seeks more secure world for software development

["Gary McGraw" <gem () cigital com>]

Hi all,

Here's a behind the scenes view of what's going down with the DHS
report.  Remember, this is only my point of view here.

The report has pretty serious design by committee problems, which is not
surprising since it was designed by, well, committee.  Reaction is bound
to be mixed.  My opinion is that there is some really good stuff in here
(see URL below for a pointer to the process and best practices section)
and there are some parts that are vacuuous and even silly.  

Here's why that happened.

The report was divided into four sections and put together very quickly
with lots of people involved: education, incentives, patch management,
and process/best practices.

** Education was chaired by Fred Cohen.  The major problem is that Fred
is not really an academic.  Looks like some more CS professors should
have been in the loop on this part.  Felten and I discussed this
yesterday, and he is not very happy with the results since they don't
take into account real academic structures or relaities.
 
** Incentives.  I don't know who the Incentives was chaired by.  Allan
Paller hates this part and had been taking pot shots at the entire
effort based on his reaction to this.  I spoke with him yesterday, and
basically, Allan believes that the taskforce seems to be using the good
technology people to "game" the government so they end up doing nothing.
He says our good technical stuff is being used as a tool and that they
are packaging our quality stuff in a mostly innocuous and thus useless
package.

Instead of the incentives in the report as they stand now (a section I
have not paid much attention to I must confess), Allan thinks the
government should do 2 things:
1) use its buying power to FORCE the use of the best practices we came
up with by buying only from those who follow them in a demonstratable
fashion
(we would need to make a roadmap for evolutionary adoption of this
stuff)
2) put in place anti-trust exemptions to allow critical infrastructure
industries to cooperate in order to do the same thing we want the feds
to do in 1

** Patch Management, which most of you know I think is complete and
utter hooey, was forced in by Kathy Allen of BITS (who later resigned
from the study).  In my opinion, this section should be deleted in
entirety.  This is a classic "operations" approach to the software
problem that simply will not work.

** The Process/best practices tech stuff was chaired by Sam Redwine who
did a great job.    I was intimately involved with this piece and am
biased in its favor.  Us technical people think our part of the report
report (Processes to Produce Secure Software) is actually good.  Not
perfect, mind you.  But there is so much room for improvement in
building software properly, that even this amount of info is like water
in the desert.  We have for this reason pulled it out and surfaced it
alone in the technical community, divorced from the other stuff.

http://www.cigital.com/papers/download/secure_software_process.pdf

All in all, about $1M hours of people time went into this effort.
Amazing.

This is all part of the shift we need to make in security from the
operations guys (network admin, etc) to the builders...

And you're a key part of it.

gem



----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------