Software: The eternal battlefield in the unending cyberwars

Internet attacks take many forms, but most of them exploit persistent weaknesses in software.

1 2 3 4 Page 4
Page 4 of 4

Scherlis says that a typical desktop can have 5,000 or more executable files, with many of uncertain origin. Additionally, there are hidden files and dynamic modifications to files. "That's pretty scary," he concludes.

"Attend to the provenance" of your software, Scherlis says, and "be absolutely rigorous about configuration management and configuration integrity, both during development and ceaselessly during operations."

In the meantime, he says, an emerging idea is for builders of software to produce evidence that their code meets certain criteria. Developers can help buyers and users evaluate software by providing test cases, models, linked documentation such as Javadoc, development/configuration logs, bug/issue logs and analysis results, he says.

Robert Lucky
Robert Lucky

But even the best protective measures will never completely do the job, says Robert Lucky, a research vice president at Telcordia Technologies Inc. Lucky chaired a U.S. Department of Defense task force in 2006 that looked into the threat from malicious code secretly inserted in U.S. software developed abroad.

His report detailed a number of steps that could be taken to help protect against such sabotage, but he told Computerworld recently that he considers the problem of cybercrime "intractable."

"The bottom line for me is always risk assessment," he says. "You can't spend an infinite amount of money. You have to make intelligent trade-offs and accept risk."

The best approach, Lucky advises, is to identify those system components that are critical and sensitive, and "spend the big bucks" only on those. But he admits that it's not easy to list all the critical components in a large, complex system.

No matter what users and vendors do, Cornell's Schneider warns against complacency. Schneider, who chairs Microsoft's external advisory board on security, says, "It's clear [Microsoft's] software is much more secure than it was five years ago -- no question."

But whether software is more secure is not the right question to ask, he says, "because the threat has changed, too."

The fact that software has gotten better is nice, he says, "but software is getting more complex, and the rate of successful attack seems to be increasing."

The challenge today is to approach the problem more holistically. And we'd better hurry, Schneider says, because the bad guys are nowhere near as knowledgeable as they may get.

"There are lots more sophisticated methods of attack that they don't yet use," he says. "Our software could get better, and they would still have many tricks."

Next: The grid: The new ground zero in Internet warfare

Copyright © 2009 IDG Communications, Inc.

1 2 3 4 Page 4
Page 4 of 4
It’s time to break the ChatGPT habit
Shop Tech Products at Amazon