Web Services, Web 2.0 & SOA - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Web Services, Web 2.0 & SOA


Report Takes Software Processes to Task



 By: Peter Coffee
2004-04-22
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Web Services, Web 2.0 & SOA story.


Rate This Article:
Poor Best
Secure development requires national commitment to research and training, industry group contends.

I feel as if I could get an entire years worth of columns, or perhaps even build my next career, out of the material in a Task Force Report that was issued at the beginning of this month by the National Cyber Security Partnership.

The NCSP formed in response to last years White House National Strategy to Secure Cyberspace, creating five task forces, including one on "Security Across the Software Development Life Cycle." It is that particular group whose 123-page report seems like almost enough to spend my next several dozen weekly columns addressing.

Coincidentally, the Task Force report emerges on the heels of Richard Clarkes reappearance on the national scene as a voice for the urgent need to attend to computer systems security as a national priority. Some have deprecated Clarkes concern with this subject during the end of his time in the present Bush administration as a sign that he was not aware of worse threats to the nation, but he may wind up looking smarter than his critics on this point. The situation is not merely serious, but is one that will take a long time to correct.

Resource Library:
For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

Especially interesting in the Task Force report, and something Ive not seen before, is a sober and objective appraisal of just how poorly we train software developers in the discipline of writing software to be secure. "Few people would accept medical treatment," the report opines, "from practitioners who were originally economics graduates, operated on people in their spare time, and went through a rapid training program to become doctors. But as a nation, the United States has taken exactly this position with regard to engineering software systems that run critical infrastructures upon which many lives depend."

The report does acknowledge the multidisciplinary nature of software security, noting that "While a doctoral level mathematician with expertise in number theory can do some limited work in theoretical cryptography and protocol analysis, and a person with a doctorate in computer engineering with a specialization in computer architecture can design new structures to support operating system enhancements, these and many other sub-specialties are required for the systems level understanding required to meet requirements for high surety systems."

This breadth, the report argues, means that "there is a need for a national community of professors with the combined understanding of these issues and the collaborative structure required to apply these experts in concert." A commitment to have just one such research professional in every U.S. state, with support for graduate students and conference participations and related costs, would represent a national initiative costing some $50 million per year, estimates the report; thats cheap compared to the cost of just one significant, large-scale security breach.

To those who argue that software as a discipline evolves too quickly to be tracked by a formal educational infrastructure, the report points out that "for the last 30 years, India has put forth a concerted effort to provide high quality university education in software design to their young people. As a result, India produces programmers that make fewer errors per line of software code than programmers trained in the United States." High-quality software can certainly be insecure, but it seems to me that low-quality software cannot possibly be secure no matter what mechanisms it attempts to use.

Some observers address the Task Force report at much briefer length than my imagined years worth of columns. Ian Grigg is the Australian co-founder of Systemics Inc., described by its Web site as "a technology company specialising in e-payments and financial cryptography." The company appears to have a deliberately obscured location, with its "Contact Us" Web page offering no physical address and advising interested parties that questions "should be sent to admin at the normal place." The company also has a colorful history that sounds more drawn from paperback fiction than from paperless banking, with business disputes involving lurid reports of seduction as a tool of a partner firms business development practices.

Be that as it may, Griggs "Financial Cryptography" Weblog calls the Task Force report on life-cycle software security "a scary document." He calls the reports recommendations a collection of "calls to certify this, verify that, and measure those"; in particular, he takes the report to task for its dismissive statement (on page 6, which is the eighth page of the Task Force PDF document hyperlinked near the top of this column) that "No processes or practices have currently been shown to consistently produce secure software."

One might note that the Task Force is co-chaired by one Microsoft staffer and includes two others as members—the fact that much of the worlds most popular software is obviously being produced by insecure practices does not prove that no secure practices exist. Research conducted by @stake Inc. has documented the effects of design-time choices and has shown their potential for a fourfold reduction of application vulnerability.

But Grigg is up against credible experts like Gary McGraw, CTO at Cigital Inc., who assisted in writing the Software Process Subgroup portion of the Task Force report that includes the statement to which Grigg takes exception. While McGraw has certainly suggested approaches to elevate the security of the software development process, it is not clear that any organization has yet succeeded in building its process on those foundations.

Is your enterprise the existence proof, or can it become one soon?

Tell me what you wish we could learn about secure software processes at peter_coffee@ziffdavis.com.

Check out eWEEKs Developer & Web Services Center at http://developer.eweek.com for the latest news, reviews and analysis in programming environments and developer tools.
Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page:  



  Reader Comments: Report Takes Software Processes to Task
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Web Services, Web 2.0 & SOA Articles          >>> More By Peter Coffee
 


xv㶲(#({F)^tZ!rflR9g-$IRY oВ/=ږp)BP(!{A 玪\82H~C<4<ޛ7ouL9Y## rD3,wU E]UeNfN3r-pDΛ"x!H/T a@]254h*lB|OkEsN _ľ^ab- L:q٨؀Cґc)e( `r**ZXtGL:$j cXul !&$f4P=~0[M+.n5\NX0'C8:!X ۱e[7'0ml_j| Tv9s[?"sڟE%ClR"ۆ?5`!tCs<50;zƸþtg+fm6Qn\.ו$5R. r_7mݹ-Ӟ?9nAsfnf_REVI_/r$ #Ko -'JQT\tO{ـ\>uߊ 9N.VT߈O jDT+b1KI mjCG'$/@B >k VQWB-RHJC)JH.1H0#ВƔ^ȲTGb9v⳩s9\_]w2|8vΐ|bUEz 1(2Κgxgj^tܜ<_rt/O{7}rֻ&OݓNI31+?f'*?oG}_A"w[Ccؚ`#j !1|;|i>wOHNś(N/ھBDs#$ 7’2(=si 2Zmoi@.@ ;G`hGo\ ^iKSCo`H" 3#P Vͻfp- @lo K,rM&SH 96Eg)edHC `I*2T3$mQq:]$ySDD'gE>BBp4<01FpJn.r?5K:cfuUYW>2G#-I<Ǟ:)_.=t;ı" sfn3AE% i-DCwuPIՉe&3@yg:{ǻښA(Q#ayQC2|vCO΁YzMd@}>\ tz:2-P(AװaHoE˵FK}ʻ@ƞa$h"D&  TAZǰEFN@@7'\/˥\.u"\m'8Ν3r x%,RȷМWKᗄLPQ9e2iںϖANDl"W(PW)553 [ܺMK'm؂ ȩ * E X3X9` ϹhbH߱ @ja~AL^XPaAꝱi<53ӆ Ԧ$2WBh,QM{lzA;ezWa)W lq[rdžfؓo\Ý =3q ؇¥&I);eڷS$P.CmE;a7˄L4 +״uPLϧ<*h3( XdE,ʢT?>Rai;a")x K[@ x@#sQ_膉rij>:8.`Cϱȧ w=:$7S5kclr>=G SǏqpjTS4 Q59qZ}ń끄_č/ЉcAkp):pJnk1sM^W6꾰'\9g! Al"QpH%'jT?plZ/oZMg#2bhOE},e9F" Ds숸ma,Be1ڴ*3v,˹F Z Ȫ +JuѦ%Ʌi@s@Mȃg'*WcD8v__H G?_wszs`'|\3cI4PT'm8Zzq&!HRQ* OmfB7TO_EXM~a"} ilm su"d(Q|"j*:VH00lI 4l2zuIX-! 0ˇE%CebH}C{h>35RN*r73 TOfZV,֪16DZTd\mjV{l|s0f=hČq@|u1Nw7LzY<,Շƍa_CPt*tȕs|<}j6v0dCe>fLFմdxTfKr 5g݅tI4K6ghA,ȍ)%y7qѦz9aN? c2F=5}mva:N(*uX89'&b)FG4l19"tCI,"W5ݚ `1}jD!ݣ1DX`J(D)y-bhwiT>RRjELRG `bqeDN@ZS臙֤m/ T׊2~eͻMV4]pH)dzDFFV{ <)3p3o9e>'[;Z\ck"*"t+]UnzJeR)Y) =x8:T6sa muKqHϣDʜj%oQ U-qǕ.҆^ߍ[S\bvQq返ء*KGɭX<Z6jRoAaf^(JC BD$KP}dESu?V!ȵ: &Ay\TS,.=ӛ6EUT-V岔?ͳ!ӢBizB]-37;-ܛӍ`,@N|k@a>uRaeK8%w2)B_tFLYo]ʨtqKZ\w޾܀8X'Ԕ-$hU%-QXU@j*U.jkRb(ȵgቛ@=$zf?m`:DǮhb2)fn*)ۙkFM_L7 x;?Ke91sPՇ@|$9w>*%E)tWmj%nO;6&ra::*|H4Ϡ.%O.&-U*RX^HSAJg r;!򵞍q]6x 7 [;^?u/-492=kZgawv++NohqNt WyR%l }-QUmhjgI6@K~{s=|8"ES.Y{p;j^;.+o|tDqZ}cq2 }U^v~9"]{/OE}M q ߢoQR{fB,&8 bwuD ɾW2jv/ ׬mv972sDH4r zE}Iw޻fW{ zWΓ! 'B9!pUN:aSڎ6)N#\_?8A\CWWa@ ձO;׌XqzwѱB3ZKU | AE>STӟFBb-,|A!IBfهB=`?` Ɉn9c{$`O,QBF_XJI.)W$f'eaKO;ی(6F_ٿ~KiV Trt6~O+0waIϤnkf+mԓNH Nn|>0̱_<@IB8827?|KP .M>uRouÎ(%T Lr/"?m[Ė{/=; SJ%MH[wibk%}ьZjK2)!M p)lL*'IZ6Xc(U(8%!T^ҔObCYA*]' ҿj_npZPt.*P{~綱yx5:ӭ*i8(5A}.H>a)GH䕤 W[dUH.~FC.D 6oY-`0PRaMʩ\Wz|ݛf0Cҵhc'^D8JScau +ɅFjo!vC۸FȢ&i{?SdB%ڔ{`ճs@Ӝ)p:9hS3m~76%jE~ܘx-3e<Ǖ+4uG]'gR;3մqr#i:פ}y09Js jTh`a{.LFx>IАޙ5p꺟!L[n'jJ=lhkV<?^wom'tLUf^لK.H ^ݍD_-""cNARn/ߍLzd< gs Hy3D?.ye99޾3C\pbWƙ?h@7X47TCSy[ƺDqekFOWEKT✏qzuZS@mחBavUL&wUOz~@n1DŽ60FcԱEWϩ62 o V9zf;$81<o$[uw+[cgcc;/F%pg&yϖخ!_ЦqŵZǴ p8|+؊wf_Onߖş1g&o)#__k K1-[K?_bBM8TzۭM  ۑ'֖xъ'M| g[| 3ӆ]eޱ[@ob}%ՕT|?7T@58Uc!҈א96u oxUF@B#zQp PBc(|Ŕ0 ^NQgȷ/"c7FB"Y|gԛrI)UM;4}+x5&{#ZK>8*j`6^&džmϷU)&".\ {ΝaY1I v~h9˴ݠ; TVILmCb5^ /K | &Ā͍r d_b?K72Vn2_]NK|2T:Y2!;RI Oi uImP|H{I,y0_B(dA7AWF- 3gX_jBy KA-0 tF) 4|p4vixDxi?+{jGNVMzkQP8R?t:gY,e_t&c*9qXG2IUI>Y~E ]{ɨܒJ\~^,)VU&;Z\5rRJ ms5:,ƭE% (,k߶=W65n +y =$ URU" ZإK?"\=$IY)A&%|.$YT2kV#䪫+׹=[D Ȳ WW2Ty)*}C4g''BoysT}~X+ "$@"$Uӆ)mK?OvOXxMV.W!,a,"jk G1ھ-^hJsں{|A/|t޽M#ohFGVe@ǘkaP(B*EbIh=k|"0xh﹥ )j , ]8k=(h$zA NBqEgLB$ ESgaگV^K:A E #S3|YJJ;ڐ40(e/E.@iA$D @$"!2 Ŀ E> ]Kt$ QyK+۹zIPP+PE9zr`k?JzZ_"k_:"#Z j * [`HլY iϣ(A%q%z ([R⋙"|orjj"^epmsDlWB$y/1P@PvMy$n;Snk /F@Lbuuћ W|lK4X[[d}2Oooooyb6f:c?U_AN>w=l0+ ؼfaZ28ppGڔvѭ`EW5c]7ckefmsvi3P7lϰV"_ό9]7#^8/NdOV@,&GniO}#B9ʁaz2Vv[ *9,n7P+~]MY4ֺ׷ʼn\7'}>*/g7б1o$G瞡' I{|H^k˂5afxp ɑkm 6ˊbt50]GVsgDI;ʥ!h %]hSΧ T  d~O@85Qi'6 [IHsk~)2\",(k03íaD+5zJϣ|pz0KG7Kt?;v21} Z'_|^"RjǠG[_dE@Wk[r"$_M 6j=-Dכ7 Q4sHj@lp="|0S5ϡ'W <ტzgCO Y?ڡ`ڀ]JZWqShP_sͰ?5~qӐT1'u8x|w%Hn9HbߍX֔TK{mk#T Iؓ?a+ZrF-pqp’,R kpW/L,膆L Ҽf204cS),r^4=J711njSQTs.1=OwtIjbiAΣ2·Z.֘0h)B Et xk5\UBI ?ʏ|^Թn:k6DK=!ɣ`58?-[_vn&|,'ֻhb zR[oV7G'ܴTN Gj߮s{M.- =,eOtF-NKLxr c ?tketM/ s&)3"[7\ϰ@4`}"kR$R˫VV' j1@8\SR+ɠ{ n<0 ȵB KhidZy#qKGF^.+byG Ta ̙A1qb#>(vBAfɿPoypv6f|2ۡWǪcjkFQyF:BM%pH߈_aw#ᷭ mslҠ۳aScl*nÕ \N z&WchPþ3=ǎ^t8Rm{Ψ9 :Β2>+L6mY Vg)=ڥ]baiL &N AUTm:FI51X̏XJ0_لJFVI8 LX8.lɵ( N _ֿ$|͌Vk!/.OLy7s'!%  ƈ1,6M$y@dȃ=Tt>ЩJW`?qB&oh}mxJ rGPMqh =|lL@ 'VFSީc&MFER=s# GFjEl~0x\Lv _ <['w{Ԥ7?<^N9Ce joy8֙I :b {r,i 3!F𥗐P\'M3C{N.;7`й #i|Q^H_}ڎʟ"a B?4d]) ]C)@vQY k؂ę!cT tm6uKH*,/K#&7Lh[:LZS0[ٹ/ե"7DTw/3ȏad GsYV}MxhŤ  4FH[~ߧM:ss ,=^C.B'Q?9A1'#Dts<6gh߉0m͚1a;m>a|u(#D[?d 6C;;X=aҜKVDƒ<^;OKvE3@eqy^ 0?/y_CT8ĨЫc배 8OO;ԖS|~ī#x]j3[߰00M-Gc`;[7*CMf*7@ )ns9e' UjV+Qm9g ?g f_C6Pj;#|Si'#O6~2>?Bևi=ȇu3eF>ϐys9?π]"c~.`Y\d1 ϋ ȠOˌ_~O CF? {1?s w1=/=? ː/W@Wq2_\gOoA_ >f'1OO|ߛ o2ڿɠZ'3}S.ruA/ ȋU৬|B]e!?CU$ϠizZmU+\^}VdV*ݫir_5.9Ð+ oY;3մ6*qմ c<r}}e}QƗ*CymoR1"^AܠKXEû""hh4oĺ.gE)aIY-0'Utz.2Wޕ\~Ufe+tj1&ϋR<;Tf;$9w>*%E)U-Wj%nO;F$c!NDojDVDY[TzT,Χ/f2l]dFJ JAO0dCh.Fง} lk"~C PX11d[o2V`6kf)(^(5PD<#M~ m

rPggQkj t+oFpx`޹} tK"+"]tB{-\C'ZNXv7n:ք`HyuF\Ӧ"{'ޓ{J Q)D#WZjM,g`Arl9~u C[3}62ؕpax Yw|×>C$" Ctd3rS&"5l }_I>7}!Ϟz'Tfۧ16NhR5gJ(e` Oy 0r['F_ܝ)ga-,K}`ZvU$$ }= zl{OK=S%n -ŕ?vm$ѐ~Ux+fD愾H)aa"j;-A%aԱQ#tH߱=8ޘ0EcmBUu# 1̅WŞ#1J6qF=U+3௛F3qy],pd+D~$Ɲa9.]K`RHVm. =n`nTO {hL b7>PÃGHƸW[[ q~6`;Ш1DLMvr6MvRmFm^`W:~ib=?];U=ؕc׮<& vj$оaplX `V|ֹ+fo3Јe/~N϶0A&mkHMȏ,l [뙗Zg'].hj=E#Ҏ )ؑ~9j fY Vj(n~30xH>%B6ryTmqX`0yaiѼ8"?j!|ȷNvdZU>8:+[ThGި'O,E܍1w1G g5Z {|iK}Ο%Ա`=b\8qeQ3LFF5rƃAȽg~d>>}]HJ/aȠF4Պ v_h}`ّ=/~7Ă+<"eO}%{-ɗ/,ρ.ȟ --՞AV$DG ʾ O4q{H6|C{o1ُ'u?iq ~/? ^jA7F ~!)?RdE/`j!O9E/S#ÁhHYy3Vv!7Az!TC?8\?yO`9 K#(FGľ%ͦ0[Q`O?sMؽξKKfX b5 _+;b>i6tc 枝 p)H0]=,}往2C)GT3s8Li'+4>#QȴEͼEZ~-]^*znVRUt.r~9vY7,u;,*k_TvH=zB=޵?36 GCJk챨) {P/#Yƞ0s^*{BMjM TYfk4dK'—hn÷ZJKS6MK(i:8LR7diAU@/bPdIeC'׽swq~q`.ծRv=ex5ڎ'_⫹Ac/=Q0&qo—%Z0ysB:[oAkwiC̪Ấ4[A3 XTКT-z3 ߁@TFt >D yЈFPpd, AŇm[}2w1R!ںvtܳ H@}cI~H,>e%7!xr-'h޼= /OX BDұnq :g=޿a Ѕ{C4G9.~>Vw 1nT~B2jjcb/ vmB ^w\&m|"sKt@@F!4GǑRN]l?>GoD=ejjBuw$O8Q&us,A apCercB*Sm,4"~{k|[ !ȶmbV;#9"ccu}=G+aBhtD;g;l؋Mz;*pbCtN4ypa)܇ˇK*u.Pd?Z$+ȅw)d{ -u~"yQ.E\"K?K}ُ*Qy&~ToiҎ$,?@Bn)M-mO L 4ziC Ps>[@5bm0j}sKo<y.heC*u$p/]k>`nB;9avc❹8& F𗩘f:^ 3^H4wcxYZsJ6MR$=`itBaz"GP ,ʱx[<Ho64F48g\PjX>pl>qcCqJ|=-DijR3is?"pirb9#ʳv.W'-tV3pL4s'#Ml|Y$'#Њ(9I1Zx;wKRʫy]a o j5aC3.v2DZGN27GK#+ţzs5O<)HaDS4+tuV*O PiW)2ı3qမEW:ȭdMW/fGKئRMPY1p+}-z^/o3 [ Im4d?8]EէДf!>!q~Qh8o:GkOz룔M}S!,h!. =^OA̼i[D`Ps CBg#x`Wq,AOw T(+&BbN%:ccl݇hORVĸ=Dv¸. %r[)#Yf";~#KM=NBLo,SDf4J̭wNw6~!N7?~/C r1, ]{kUtt?