Software is riddled with ‘dumb’ design flaws that undermine security and the IEEE and a clutch of big tech firms including Google, Twitter, HP, Intel and several universities have to decided launch a new organisation to do something about it.
Called the IEEE Center for Secure Design (IEEE CSD), the new initiative has set itself the task of campaigning against fundamental flaws in the way software is designed before it is even implemented in code. This includes flawed assumptions about trust and the nature of user identity, and simple things such as forgetting how easily users can be manipulated into bypassing apparently watertight security mechanisms.
To help explain what this means, the IEEE CSD accompanied its formal launch with a 31-page Top Ten design flaws report outlining common problems in software. Given the scale of the problem, only 31 pages you might cry? It is pretty abstract although anyone interested in security will be familiar with a lot of the content.
We don’t normally print long lists but the IEEE CSD’s groupthink recommendations are worth casting an eye over.
- Earn or give, but never assume, trust
- Use an authentication mechanism that cannot be bypassed or tampered with
- Authorize after you authenticate
- Strictly separate data and control instructions, and never process control instructions received from untrusted sources
- Define an approach that ensures all data are explicitly validated
- Use cryptography correctly
- Identify sensitive data and how they should be handled
- Always consider the users
- Understand how integrating external components changes your attack surface
- Be flexible when considering future changes to objects and actors
It reads like a way of rolling back the old 1980’s and 1990’s world view – which still dominates thinking in the tech industry if truth be told – that bad things probably won’t happen and people won’t abuse technology.
Since the early 2000s, with computer security slowly imploding, it’s as if firms and their customers have been waiting for someone to press a magic reset button. Although not quite that button, the fact that the CSD has IEEE in its name is meant to communicate that it is in it for the long haul.
As well as Google, HP, Twitter and Intel/McAfee, other launch members include Athens University of Economics and Business, Cigital, EMC, George Washington University, Harvard University, RSA, Sadosky Foundation, Ministry of Science, Technology and Productive Innovation of Argentina, and the University of Washington.
A few names are missing – no Cisco, no Oracle, no Facebook and no Microsoft for a start, the latter perhaps a revealing gap. Microsoft is a perfect case study in how complex it is close the gap between knowing something is badly designed and actually doing something about it.
For instance, in its Top Ten paper, the IEEE CSD mentions principles such as ‘design for secure updates’ on page 29. “It is easier to upgrade small pieces of a system than huge blobs.”
But the world's most famous 'blob' software is surely Windows, an operating system that up to Windows 8 has been a succession of event launches years apart. Over time, this has caused Microsoft considerable struggles as design assumptions prove incorrect or inadequate, leading to Service Packs and refreshes on top of a complex monthly patching cycle.
And yet it was Microsoft that launched the Security Development Lifecycle (SDL) in 2005 to improve the core security of its operating system and programs, a pioneering initiative at the time. But might an operating system that evolved gradually Linux-style over time have offered better inherent security and less user stress?
So instead of waiting years to ship Windows 7 and then Windows 8, Microsoft could have de-blobbified itself with regular perhaps bi-annual releases - former CEO, Steve Ballmer would have slammed the door off its hinges if anyone had suggested that profit killer.
“Bugs and flaws are two very different types of security defects,” said Gary McGraw, CTO of consultancy Cigital, another participant in the organisation.
“We believe there has been quite a bit more focus on common bugs than there has been on secure design and the avoidance of flaws, which is worrying since design flaws account for 50 perent of software security issues. The IEEE Center for Secure Design allows us a chance to refocus, to gather real data, and to share our results with the world at large.”
Late last year, Cigital released the fifth version of its respected Building Security In Maturity Model (BSIMM), a security analysis model based on real-world behaviour.
“The Center for Secure Design will play a key role in refocusing software security on some of the most challenging open design problems in security,” said Twitter security engineer, Neil Daswani.
“By putting focus on security design and not just focusing on implementation bugs in code, the CSD does even the most advanced companies in the space a huge service.”
Industry collaborations happen from time to time and usually quietly disappear once the champagne has run out. If this one can overcome the natural instinct of tech vendors to sell things and 'to hell with next week', it might yet amount to something.