Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

IEEE Center for Secure Design wants tech industry to stop 'doing dumb stuff'

Google, Twitter, HP and Intel - they have a security dream

Article comments

Software is riddled with ‘dumb’ design flaws that undermine security and the IEEE and a clutch of big tech firms including Google, Twitter, HP, Intel and several universities have to decided launch a new organisation to do something about it.

Called the IEEE Center for Secure Design (IEEE CSD), the new initiative has set itself the task of campaigning against fundamental flaws in the way software is designed before it is even implemented in code. This includes flawed assumptions about trust and the nature of user identity, and simple things such as forgetting how easily users can be manipulated into bypassing apparently watertight security mechanisms.

To help explain what this means, the IEEE CSD accompanied its formal launch with a 31-page Top Ten design flaws report outlining common problems in software. Given the scale of the problem, only 31 pages you might cry? It is pretty abstract although anyone interested in security will be familiar with a lot of the content.

We don’t normally print long lists but the IEEE CSD’s groupthink recommendations are worth casting an eye over.

  • Earn or give, but never assume, trust
  • Use an authentication mechanism that cannot be bypassed or tampered with
  • Authorize after you authenticate
  • Strictly separate data and control instructions, and never process control instructions received from untrusted sources
  • Define an approach that ensures all data are explicitly validated
  • Use cryptography correctly
  • Identify sensitive data and how they should be handled
  • Always consider the users
  • Understand how integrating external components changes your attack surface
  • Be flexible when considering future changes to objects and actors

It reads like a way of rolling back the old 1980’s and 1990’s world view – which still dominates thinking in the tech industry if truth be told – that bad things probably won’t happen and people won’t abuse technology.  

Since the early 2000s, with computer security slowly imploding, it’s as if firms and their customers have been waiting for someone to press a magic reset button. Although not quite that button, the fact that the CSD has IEEE in its name is meant to communicate that it is in it for the long haul.

As well as Google, HP, Twitter and Intel/McAfee, other launch members include Athens University of Economics and Business, Cigital, EMC, George Washington University, Harvard University, RSA, Sadosky Foundation, Ministry of Science, Technology and Productive Innovation of Argentina, and the University of Washington.

A few names are missing – no Cisco, no Oracle, no Facebook and no Microsoft for a start, the latter perhaps a revealing gap. Microsoft is a perfect case study in how complex it is close the gap between knowing something is badly designed and actually doing something about it.

For instance, in its Top Ten paper, the IEEE CSD mentions principles such as ‘design for secure updates’ on page 29. “It is easier to up­grade small pieces of a system than huge blobs.”

But the world's most famous 'blob' software is surely Windows, an operating system that up to Windows 8 has been a succession of event launches years apart. Over time, this has caused Microsoft considerable struggles as design assumptions prove incorrect or inadequate, leading to Service Packs and refreshes on top of a complex monthly patching cycle.

And yet it was Microsoft that launched the Security Development Lifecycle (SDL) in 2005 to improve the core security of its operating system and programs, a pioneering initiative at the time. But might an operating system that evolved gradually Linux-style over time have offered better inherent security and less user stress?

So instead of waiting years to ship Windows 7 and then Windows 8, Microsoft could have de-blobbified itself with regular perhaps bi-annual releases - former CEO, Steve Ballmer would have slammed the door off its hinges if anyone had suggested that profit killer.

“Bugs and flaws are two very different types of security defects,” said Gary McGraw, CTO of consultancy Cigital, another participant in the organisation.

“We believe there has been quite a bit more focus on common bugs than there has been on secure design and the avoidance of flaws, which is worrying since design flaws account for 50 perent of software security issues. The IEEE Center for Secure Design allows us a chance to refocus, to gather real data, and to share our results with the world at large.”

Late last year, Cigital released the fifth version of its respected Building Security In Maturity Model (BSIMM), a security analysis model based on real-world behaviour.

“The Center for Secure Design will play a key role in refocusing software security on some of the most challenging open design problems in security,” said Twitter security engineer, Neil Daswani.

“By putting focus on security design and not just focusing on implementation bugs in code, the CSD does even the most advanced companies in the space a huge service.”

Industry collaborations happen from time to time and usually quietly disappear once the champagne has run out.  If this one can overcome the natural instinct of tech vendors to sell things and 'to hell with next week', it might yet amount to something.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *