Everywhere you turn these days, someone is talking about security.
Microsoft Corp. has announced a massive effort to improve the security of its products, a strategy that included a two-month-long review of Windows code and weeks of training for developers.
A group of government agencies and industry organizations recently released a set of guidelines for securing Windows 2000 machines.
Even President Bush is in on the act, unveiling a proposal that would unite most of the governments information security watchdogs under the umbrella of the new Department of Homeland Security, creating a central base for the governments efforts.
So, with all the attention that vendors and government authorities are lavishing on security, it would stand to reason that security would be improving.
Not so. In fact, not only is security not improving, its deteriorating at a rapid rate. In the first half of this year, there were 2,148 vulnerabilities reported to the CERT Coordination Center, a clearinghouse for security information and data at Carnegie Mellon University, in Pittsburgh. Compare that with the 2,437 flaws reported during all of last year, and you get some idea of how bad things are.
The higher number of vulnerabilities is translating into an increase in the number of security incidents as well. CERT recorded 43,136 incidents in the first half of this year, compared with 52,658 for all of last year. If incidents continue to accrue at that rate for the rest of the year, there will be nearly 40 percent more attacks this year than last.
While almost everyone in the security industry, and the software sector at large, concedes that the number of vulnerabilities is a problem, no one seems to be willing to shoulder much of the responsibility. Rather, shifting the blame for security problems has become something of a parlor game.
Even Bill Gates has taken a turn. In an e-mail sent earlier this month to Microsoft customers, the Redmond, Wash., companys chairman and chief software architect outlined the progress Microsoft has made in its Trustworthy Computing initiative, listing several key accomplishments.
But Gates also took the opportunity to move the spotlight off his company and suggest that the number of security problems found in Microsoft products are the result of a confluence of events and not shoddy programming.
“This is an important part of the evolution of the Internet because without a Trustworthy Computing ecosystem, the full promise of technology to help people and businesses realize their potential will not be fulfilled,” Gates wrote. “Ironically, it is the growth of the Internet and the advent of massive computing systems built from loose affiliations of services, machines, communications networks and application software that have helped create the potential for increased vulnerabilities.”
Page Two
: Disputing Gates”>
Many security experts dispute Gates assessment of the problem. They counter that common vulnerabilities, such as buffer overruns, are the end product of a marketplace that demands features and functionality above all else and inevitably rewards vendors that produce inexpensive, easy-to-use software.
“Why is [it] that we have to pretend that everyone is nice and honorable and tries to do the best all the time? I would say that Bill Gates is lying,” said Bruce Schneier, chief technology officer at Counterpane Internet Security Inc., in Cupertino, Calif. “He knows that vulnerabilities are mistakes made by programmers. They are mistakes in specifications and mistakes in coding. They are the result of a focus on features rather than security.”
Others say the problem begins with poorly trained developers working on projects with no formal design specifications and little direction aside from getting it out the door as quickly as possible. The government should also share some of the responsibility for the continued increase in software vulnerabilities, as it has done little to fund research or education in information security, experts say.
That may change in the coming years as the focus on national security trickles down to the university level. But for now, there is little optimism.
“The marketplace hasnt stopped. There will always be pressure to add new features,” said Gene Spafford, professor of computer science at Purdue University, in West Lafayette, Ind., and a well-known expert on information security. “As we add more features, the problem will get worse; not linearly but probably exponentially. Theres no design specifications, no quality control. Theres a point at which you have to stop slapping Band-Aids on it and say theres something wrong here.”
And because many vendors continue to use their old code base as the foundation for upgrades as well as new products, the existing problems are bound to get worse before they get better, Spafford said.
“Theres a huge quantity of code out there that was badly designed, and until that code is replaced, well continue to have problems,” Spafford said. “There are technologies out there that build better software, but it requires training. Most vendors write in C and C++ because theyre cheaper and they can reuse a lot of their code. If I produce a student who knows how to write really sound code in Modula-3, whos going to employ them?”
Related stories:
- Survey: IT Embracing Security
- Whos Watching Whom?
- Security: Time to Take Names, Lay Blame
- Security Quandary: Whos Liable?
- Ignorance: The Hackers Best Friend
- Trail of Destruction: The History of the Virus
- Proposal Calls for Quick Response to Flaw Discoveries
- More Security Coverage