Security expert: More developer education needed

IDG News Service - WASHINGTON -- Software vendors need to create security education programs for their programmers in order to deliver software products that are more secure to their customers, an Oracle Corp. security expert said today.
Developer education and pressure from large buyers such as the U.S. government are two key ingredients in better software security, said Adam Jacobs, Oracle's principal product manager, during a presentation at the InfraGard National Conference in Washington.
During the InfraGard event, which focused both on cyber and physical security, Jacobs and other cybersecurity experts gave various reasons for the common complaint that commercial, off-the-shelf software is often riddled with security holes. Jacobs seemed to partly agree with David Aucsmith, chief technology officer at Microsoft Corp.'s security business and technology unit, who said at InfraGard yesterday that software vendors often ignored security functionality in order to make their products easier to use, at least until recent years.
Aucsmith used the example of the Windows 95 operating system, which had "no security" as a design goal because users wanted an easy-to-use system, he said. "We would get points taken away by the analysts and in the press if [software] was hard to configure," he added.
Jacobs agreed that some software was designed poorly, but most security vulnerabilities now come from coding errors -- what he called implementation errors -- not in software designed to be insecure, he said. While more software vendors began focusing on designing more secure software in recent years, security bugs still exist, he added.
"The number of fixes that are coming out to you each month isn't going down; it's going up," Jacobs said. "Your design on paper can be brilliant ... and you hand it off to the developer, and that means nothing when it comes to implementation flaws."
The problem is that many software developers don't understand mistakes that cause buffer overflows or SQL injections, Jacobs said. In the past, Jacobs has encountered Oracle developers who don't understand SQL injections although it's a common vulnerability for the databases that are part of Oracle's core product line. Part of the problem is that many universities teach computer science theory without teaching much about the practice of programming, Jacobs said.

Adding to the problem is that developers are often rewarded for meeting deadlines, but not for writing secure code, Jacobs added. Software vendors need to find better ways to reward slower coders who turn in cleaner code instead of giving bonuses to programmers who turn in buggy code on time, he said. After the fast

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.