Security is bigger than finding and fixing bugs

I’ve been catching up on various security-related articles that I’ve been meaning to read, and the following article was on the list,google-shares-its-security-secrets.aspx about Google’s “security secrets.”
Quoting from the article:

“In order to keep its products safe, Google has adopted a philosophy of ‘security as a cultural value’. The programme includes mandatory security training for developers, a set of in-house security libraries, and code reviews both by Google developers and outside security researchers.”

I think it is great that Google has a security program they are willing to talk about and I could not agree more with the ‘security as a cultural value’ philosophy. But isn’t there something really fundamental missing here? Design? There is a lot more to software engineering other than coding and testing.
The SDL has a very large set of implementation-related requirements, but there are many design-related requirements also.

Computer security experts have known since the early 1970s that you have to get the design right; and our experiences with the SDL over the last 5 years have taught us that you need to consider security and privacy (but remember, you have to ship too!) very early in the design phase and have a consistent end-to-end process if you truly hope to reduce vulnerabilities and create more secure software. This is how the SDL is helping to create ‘security as a cultural value’ at Microsoft.

We’ve seen a general trend downward in security vulnerabilities in Microsoft products, and the IBM X-Force 2008 mid-year report backs the assertion that we’re making progress; according to the report Microsoft’s share of total vulnerabilities decreased from 3.7% in 2007 (1st place) to 2.5% (that’s 2.5% for all Microsoft products; a more appropriate comparison might be Windows vs Linux vs Mac OSX, or SQL Server vs Oracle vs DB2) in the first 6 months of 2008 (3rd place.) This is an encouraging signal that the SDL is working on a large scale… of course, it might also show that vulnerability researchers are moving to easier targets, which, to me shows the SDL is working too.
What do you think?

Join the conversation

  1. unrecognized

    Hi:  I’ve read in a couple of places that design and architecture are responsible for as many as 50% of security vulnerabilites.  I’m reading Anderson’s "Security Engineering" and there’s your "Writing Secure Code".  McGraw in "Sofware Security" stresses the point but provides so little information that you’re not really sure what sorts of design flaws to look for.

    I think there’s a need for book that squarely attacks this issue.

    Why don’t you write one?

    Thanks, Den

Comments are closed.