IDG News Service - WASHINGTON -- Software vendors need automated tools that look for bugs in their code, but it may be a decade before many of those tools are mature and widely used, said the former director of cybersecurity for the U.S. Department of Homeland Security.
Creating software assurance tools was one long-term focus of the DHS National Cybersecurity Division during Amit Yoran's tenure there, Yoran said today during the E-Gov Institute Homeland Security and Information Assurance Conferences in Washington.
About 95% of software bugs come from 19 "common, well-understood" programming mistakes, Yoran said, and his division pushed for automation tools that comb software code for those mistakes.
"Today's developers ... oftentimes don't have the academic discipline of software engineering and software development and training around what characteristics would create flaws in the program or lead to bugs," Yoran said.
Government research into some such tools is in its infancy, however, he added. "This cycle will take years if not decades to complete," he said. "We're realistically a decade or longer away from the fruits of these efforts in software assurance."
Yoran, who resigned from his DHS position in September after being on the job for a year, hinted at why he left, but sidestepped a question about the reasons. In the private sector, he had a "real objective" on how to move forward, he said.
"When you move into a strategic and somewhat ill-defined role of 'protect cyberspace,' that's a very difficult mission to get your arms around," he said. "You show up to work on a Monday morning, you're ready to put your fingers to the keyboard, you've got a team of folks working with you, what do you do ... to secure cyberspace from within the Department of Homeland Security?"
Most Internet resources are owned by the private sector, and the U.S. government has been hesitant to pass cybersecurity mandates, noted Yoran, former vice president of worldwide managed security services at Symantec Corp. With no operational or regulatory control over most of the Internet, the goal of securing cyberspace at DHS was difficult, he said.
Asked if that lack of authority was a reason for leaving the post, Yoran said his successor will need to "look at go-forward issues" in cybersecurity that the division can best address.
Yoran, however, defended President George W. Bush's National Strategy to Secure Cyberspace, released in February 2003. The strategy, which sets out five major cybersecurity recommendations, did not advocate regulation, and the White House took the right approach in developing those recommendations by consulting with private industry, Yoran said.
"As the Department of Homeland
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!