Securing an insecure world

Why do we have insecure software? That is a question Edward Roback, a computer security expert, is often asked.

"There are many answers," said Roback, chief of the computer security division at the National Institute of Standards and Technology. The first is that anything to do with software is complex, he said, and security is no exception.

A second reason is a lack of standards for secure software. Consequently, everybody tends to have unique ideas about it, Roback told Federal Computer Week.

But even where standards for secure software exist, software testing reveals that programmers often fail to translate standards into correct code, Roback said. Most software is not adequately tested before it is sold and used.

And why is software not thoroughly tested before people start using it? In part, Roback said, because there are few tests available for examining software that are quick, cheap and fast.

Finally, Roback said, software is insecure because not much good advice is available to help people use the security features that do exist in products.

Software security is not only complex but also mysterious, Roback said. "If you go buy a printer, hook it up to a PC and send it something to print, you can tell whether it works," he said.

But if someone hooks up a firewall, for example, it is a mystery whether it works or not. "It sits there and hums, and you don't know if it's doing it right or wrong," he said.

Roback said software security must improve. "I hope that it would get better, but the indications are that it's very challenging to get better," he said.

Software quality is another concern, Roback said. Software quality has implications for usability and even for the safety of human life. "Does the software do what it is intended to do, and does it not do the unintended?

Roback asked, "How do you go about finding out whether there is a trap door or a Trojan horse buried in two million lines of code? It's a very challenging problem," he said, "and a very important one."

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.