[ISN] Former cybersecurity czar: Code-checking tools needed

From: InfoSec News (isn@private)
Date: Fri Dec 03 2004 - 01:40:34 PST


http://www.computerworld.com/securitytopics/security/story/0,10801,97988,00.html

By Grant Gross
DECEMBER 02, 2004 
IDG NEWS SERVICE

WASHINGTON -- Software vendors need automated tools that look for bugs
in their code, but it may be a decade before many of those tools are
mature and widely used, said the former director of cybersecurity for
the U.S. Department of Homeland Security.

Creating software assurance tools was one long-term focus of the DHS
National Cybersecurity Division during Amit Yoran's tenure there,
Yoran said today during the E-Gov Institute Homeland Security and
Information Assurance Conferences in Washington.

About 95% of software bugs come from 19 "common, well-understood"  
programming mistakes, Yoran said, and his division pushed for
automation tools that comb software code for those mistakes.

"Today's developers ... oftentimes don't have the academic discipline
of software engineering and software development and training around
what characteristics would create flaws in the program or lead to
bugs," Yoran said.

Government research into some such tools is in its infancy, however,
he added. "This cycle will take years if not decades to complete," he
said. "We're realistically a decade or longer away from the fruits of
these efforts in software assurance."

Yoran, who resigned from his DHS position in September after being on
the job for a year, hinted at why he left, but sidestepped a question
about the reasons. In the private sector, he had a "real objective" on
how to move forward, he said.

"When you move into a strategic and somewhat ill-defined role of
'protect cyberspace,' that's a very difficult mission to get your arms
around," he said. "You show up to work on a Monday morning, you're
ready to put your fingers to the keyboard, you've got a team of folks
working with you, what do you do ... to secure cyberspace from within
the Department of Homeland Security?"

Most Internet resources are owned by the private sector, and the U.S.  
government has been hesitant to pass cybersecurity mandates, noted
Yoran, former vice president of worldwide managed security services at
Symantec Corp. With no operational or regulatory control over most of
the Internet, the goal of securing cyberspace at DHS was difficult, he
said.

Asked if that lack of authority was a reason for leaving the post,
Yoran said his successor will need to "look at go-forward issues" in
cybersecurity that the division can best address.

Yoran, however, defended President George W. Bush's National Strategy
to Secure Cyberspace, released in February 2003. The strategy, which
sets out five major cybersecurity recommendations, did not advocate
regulation, and the White House took the right approach in developing
those recommendations by consulting with private industry, Yoran said.

"As the Department of Homeland Security ... implementing the national
strategy is not our job; it's not our responsibility," he said. "It's
the nation's job, it's the international technology community's job
and responsibility. We can just help."

The national strategy and efforts at DHS can help move cybersecurity
efforts beyond the current "cat and mouse game" of finding
vulnerabilities, assessing whether to patch them, and patching them
when the problems become painful to companies, Yoran said. He
predicted a "radical transformation" in the cybersecurity field within
two to four years as more companies and government agencies accept
technologies such as Web services, remote Internet access and RFID
(radio frequency identification) tags.

"In the next two to three years, you won't be able to define where
your network begins and ends," Yoran said. "The paradigms we rely on
today for protecting our information -- stronger firewalls, more
accurate intrusion detection -- those types of technologies will be
required, but they will be solving an increasingly small percentage of
the challenges that are going to be facing us."



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Fri Dec 03 2004 - 02:42:55 PST