Securing an insecure world

Why do we have insecure software? That is a question Edward Roback, a computer security expert, is often asked.

"There are many answers," said Roback, chief of the computer security division at the National Institute of Standards and Technology. The first is that anything to do with software is complex, he said, and security is no exception.

A second reason is a lack of standards for secure software. Consequently, everybody tends to have unique ideas about it, Roback told Federal Computer Week.

But even where standards for secure software exist, software testing reveals that programmers often fail to translate standards into correct code, Roback said. Most software is not adequately tested before it is sold and used.

And why is software not thoroughly tested before people start using it? In part, Roback said, because there are few tests available for examining software that are quick, cheap and fast.

Finally, Roback said, software is insecure because not much good advice is available to help people use the security features that do exist in products.

Software security is not only complex but also mysterious, Roback said. "If you go buy a printer, hook it up to a PC and send it something to print, you can tell whether it works," he said.

But if someone hooks up a firewall, for example, it is a mystery whether it works or not. "It sits there and hums, and you don't know if it's doing it right or wrong," he said.

Roback said software security must improve. "I hope that it would get better, but the indications are that it's very challenging to get better," he said.

Software quality is another concern, Roback said. Software quality has implications for usability and even for the safety of human life. "Does the software do what it is intended to do, and does it not do the unintended?

Roback asked, "How do you go about finding out whether there is a trap door or a Trojan horse buried in two million lines of code? It's a very challenging problem," he said, "and a very important one."

Featured

  • Veterans Affairs
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    VA health record go-live pushed back to July

    The Department of Veterans Affairs is delaying a planned initial deployment of its $16 billion electronic health record project by four months, but is promising added functionality at the go-live date.

  • Workforce
    The Pentagon (Photo by Ivan Cholakov / Shutterstock)

    Esper says he didn't seek the authority to gut DOD unions

    Defense Secretary Mark Esper told lawmakers he was waiting for a staff analysis of a recent presidential memo before deciding whether to leverage new authority.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.