IDG News Service - WASHINGTON -- Software vendors need automated tools that look for bugs in their code, but it may be a decade before many of those tools are mature and widely used, said the former director of cybersecurity for the U.S. Department of Homeland Security.
Creating software assurance tools was one long-term focus of the DHS National Cybersecurity Division during Amit Yoran's tenure there, Yoran said today during the E-Gov Institute Homeland Security and Information Assurance Conferences in Washington.
About 95% of software bugs come from 19 "common, well-understood" programming mistakes, Yoran said, and his division pushed for automation tools that comb software code for those mistakes.
"Today's developers ... oftentimes don't have the academic discipline of software engineering and software development and training around what characteristics would create flaws in the program or lead to bugs," Yoran said.
Government research into some such tools is in its infancy, however, he added. "This cycle will take years if not decades to complete," he said. "We're realistically a decade or longer away from the fruits of these efforts in software assurance."
Yoran, who resigned from his DHS position in September after being on the job for a year, hinted at why he left, but sidestepped a question about the reasons. In the private sector, he had a "real objective" on how to move forward, he said.
"When you move into a strategic and somewhat ill-defined role of 'protect cyberspace,' that's a very difficult mission to get your arms around," he said. "You show up to work on a Monday morning, you're ready to put your fingers to the keyboard, you've got a team of folks working with you, what do you do ... to secure cyberspace from within the Department of Homeland Security?"
Most Internet resources are owned by the private sector, and the U.S. government has been hesitant to pass cybersecurity mandates, noted Yoran, former vice president of worldwide managed security services at Symantec Corp. With no operational or regulatory control over most of the Internet, the goal of securing cyberspace at DHS was difficult, he said.
Asked if that lack of authority was a reason for leaving the post, Yoran said his successor will need to "look at go-forward issues" in cybersecurity that the division can best address.
Yoran, however, defended President George W. Bush's National Strategy to Secure Cyberspace, released in February 2003. The strategy, which sets out five major cybersecurity recommendations, did not advocate regulation, and the White House took the right approach in developing those recommendations by consulting with private industry, Yoran said.
"As the Department of Homeland
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts