[ISN] NSA: Our Development Methods Are in the Open Now

From: InfoSec News <alerts_at_private>
Date: Thu, 11 Nov 2010 01:20:16 -0600 (CST)
http://threatpost.com/en_us/blogs/nsa-our-development-methods-are-open-now-111010

By Dennis Fisher
threatpost
November 10, 2010

WASHINGTON -- Despite its reputation for secrecy and technical 
expertise, the National Security Agency doesn't have a set of secret 
coding practices or testing methods that magically make their 
applications and systems bulletproof. In fact, one of the agency's top 
technical experts said that virtually all of the methods the NSA uses 
for development and information assurance are publicly known.

"Most of what we do in terms of app development and assurance is in the 
open literature now. Those things are known publicly now," Neil Ziring, 
technical director of the NSA's Information Assurance Directorate, said 
in his keynote at the OWASP AppSec conference here Wednesday. "It used 
to be that we had some methods and practices that weren't well-known, 
but over time that's changed as industry has focused more on application 
security."

Ziring said that even within the NSA, the problems of application 
security remain maddeningly difficult to solve. The agency, which is 
responsible for both protecting the communications of the U.S. 
government and eavesdropping on those of hostile nations, faces many of 
the same challenges that private enterprises and other organizations do 
when it comes to writing secure applications and defending deployed 
apps.

"Assurance is very hard to do for apps, especially lightweight, 
distributed apps. They don't have a clean, waterfall lifecycle," Ziring 
said. "Very few applications start from a clean slate. They're built on 
the existing code bases and they have to work with other existing apps 
and they have to be updated frequently.

[...]


___________________________________________________________      
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery 
Network, Cisco Switches, SAS 70 Type II Datacenter. 
Find peace of mind, Defend your Critical Infrastructure.
http://www.tegataiphoenix.com/
Received on Wed Nov 10 2010 - 23:20:16 PST

This archive was generated by hypermail 2.2.0 : Wed Nov 10 2010 - 23:26:12 PST