John Gilligan, the Air Force's deputy CIO, last month called on software developers to improve the quality of their products.
Commercial software has too many security holes and default settings open to attack, Gilligan said. Software should be reasonably secure before release, he said, and government buyers should be willing to pay something extra.
It's not a new idea, but until now it has been considered pretty radical'an issue for security geeks. Now a major government customer is talking about demanding'and paying for'software security out of the box. It just might take off if the slowing economy changes vendors' drive to be the first to market.
Like most good ideas, it's no panacea. There are at least three reasons why software security management is going to be difficult for the foreseeable future.
First, there are no widely accepted standards for what constitutes safety. No one agrees on debugging procedures that would make software reliable out of the box. That doesn't mean bugs cannot be removed, but there's no seal of approval.
Second, ferreting out security holes in complex programs is tough. Vulnerabilities usually are not confined to a single line of code. They arise when multiple instructions, widely separated and each doing its own proper job, are invoked under specific conditions.
Third, legacy software by definition sticks around for a long time. If vendors began turning out completely secure software tomorrow, there still would be plenty of buggy software that would continue to need patches for years to come.
None of this means that developers should not improve the security of the software they write. But for the time being, keeping patches up to date is going to remain the first line of defense.
There's some comfort in the fact that a small percentage of vulnerabilities account for the majority of exploits month after month. The FBI and the SANS Institute of Bethesda, Md., have listed the top 20 vulnerabilities on the SANS site, at www.sans.org
Of course, even if systems administrators everywhere plugged all 20 holes, another top 20 would come along to take their place'but that's job security.