Wyatt Kash | Code proofing
Trying to hold back the mounting tide of serious cyberattacks on federal networks has been cause for concern among information security specialists for years. That lawmakers, led by Rep. James Langevin (D-R.I.), chairman of the Homeland Security Committee's Emerging Threats, Cybersecurity, and Science and Technology Subcommittee, convened a hearing on the subject last month, suggests that the situation's seriousness is finally gaining broader attention. But it also conjures up the image of a thousand Dutch boys with their fingers in a dike as a group of elders discuss their concerns about the growing number of puddles.
Lawmakers should focus on reports of massive denial-of-service attacks that struck Estonia in recent weeks as a harbinger of coming strategic assaults. Security response is another thing to watch. And one area warranting new attention is how well agencies are proofing the coding in their programming.
For all the effort to move to commercial software, the government will always need a certain number of customized solutions. Yet too little attention is paid to assessing the reliability and security of the coding in those solutions.
For one thing, it's hugely expensive and time-consuming to check line by line for code flaws in a new software implementation. Then there's the matter of who owns the code. Tight budgets and tighter deadlines inevitably put the onus on contractors to check the coding and fix errors. Yet failing to conduct adequate code audits is akin to letting contractors build a high-rise without the benefit of building inspectors.
The sad fact is that the vast majority of security vulnerabilities could be found easily using techniques that require relatively little expertise.
That's why a coalition of major technology users and vendors led by the SANS Institute deserves credit for trying to bring new attention and resources to improve secure-coding skills.
The SANS Software Security Institute (www.sans-ssi.org) is developing a new skills assessment and certification program for programming professionals to gain secure-coding credentials.
Certification programs, like policies, won't stop the most determined hackers. But working to eradicate faulty coding is essential to reducing the cracks in the government's cybersecurity dike ' and more likely to succeed than most policies.Wyatt Kash, Editor in chief