Software: The eternal battlefield in the unending cyberwars

Internet attacks take many forms, but most of them exploit persistent weaknesses in software.

“We are at risk. Computers are vulnerable to the effects of poor design, insufficient quality control, accident and, perhaps more alarmingly, to deliberate attack.” — Computers at Risk, Computer Science and Telecommunications Board, National Research Council, 1991.

Now, 18 years later, we are still at risk. Our computers are still vulnerable. They still suffer attacks enabled by poor design and insufficient quality control. We spend huge sums on IT security, yet U.S. companies and individuals are loosing tens of billions of dollars annually to cybercrime.  In January, Heartland Payment Systems Inc. reported what may be the largest data heist ever.  The company said that a “global cyberfraud operation” stole information from more than 100 million credit cardholders. Someone had planted a software “sniffer” in a Heartland server disk, where it apparently nosed around undetected for weeks. ….

“Our opponents in cybersecurity are winning, and they will continue to win,” says Jim Routh, chief information security officer at The Depository Trust & Clearing Corp. “This is not a war we will ever see an end to.”   ….

In January, The Mitre Corp. and SANS published a list called the Top 25 Most Dangerous Programming Errors, coding mistakes that make software vulnerable to attack. Alan Paller, research director at SANS, says most universities do a poor job of teaching students how to avoid these mistakes. “There is nothing nearly as important for improved security of software than getting [universities] to take responsibility for the lack of secure coding skills of their graduates,” he says.

Fred Schneider, a computer science professor at Cornell University, disagrees. ….

But Schneider and Paller agree on at least one thing: While quite a lot is known now about secure coding practices, there is little agreement on what makes for a secure system design. “Nobody understands what it is about an architecture that contributes to a system being secure,” Schneider says. “It’s hard to recognize a bad design if you don’t know how to tell a good design when you see it.”

But even the best protective measures will never completely do the job, says Robert Lucky, a research vice president at Telcordia Technologies Inc. Lucky chaired a U.S. Department of Defense task force in 2006 that looked into the threat from malicious code secretly inserted in U.S. software developed abroad. His report detailed a number of steps that could be taken to help protect against such sabotage, but he told Computerworld recently that he considers the problem of cybercrime “intractable.”

DCL: It may be “intractible”, but I wonder if more could be done to detect malware operations when they occur… and before they do damage. A little CEP, perhaps?