I got voicemail from Gary McGraw last week. As usual, he got right to the point:
"Hey Brian, send me an e-mail with the 5 best things that happened in software security lately. You know, five good things. Thanks." Click.
"Good things"? Hmm…. It seems like I spend all of my time thinking about bad things. Finding vulnerabilities, weighing risks, and always scrambling to keep up with all of the new security dilemmas that are looming. I could have rattled off a list of a dozen software security disasters and near disasters without stopping to take a breath. But good things? Gary had thrown out a most excellent challenge. (Tip: don't give Gary your phone number if you don't like such challenges.) Okay Gary, here's my list:
1) Software security has become a competitive advantage
When Firefox hit the mainstream, software security was on the short list of major benefits. The Firefox creators were banking on the idea that people were tired of all of the cruft that Internet Explorer seems to collect, not to mention all of the security bulletins and never-ending stream of patches. It turns out that Firefox has had its share of security problems too, but the point has been made: people want software they can trust.
2) The SDL has arrived
The software security problem has been around for quite a while, but it's not until recently that there's been widespread agreement on the solution: incorporating security into the software development process.
- Gary McGraw says it in Software Security: Building Security In.
- Michael Howard and Steve Lipner outline Microsoft's approach in SDL: The Security Development Lifecycle.
- CERT and SEI say it on the Build Security In web site
3) Software security has become a purchasing factor
Want to license your wiz-bang new software creation to a big company? Increasingly, you can expect security to be part of the equation. Here's a programmer who was a little freaked out when his customer wanted to look at his code but this is going to become the norm. It'll happen in heavily regulated industries first, but it's going to spread from there.
4) Buffer overflow dethroned
2005 was the first year ever that buffer overflow was not the most-reported vulnerability in CVE. This makes it a lot easier to explain that software security is a lot more than just buffer overflow. This is particularly important when it comes to explaining why silver bullet prophylactic "solutions" don't work. Silver bullet vendors, you know who you are.
The final CWE report is here:
5) The MS Singularity project
The Singularity project out of Microsoft Research is a completely new operating system that's built from the ground up to secure and reliable. Don't expect it to replace Windows any day soon, but likewise don't be surprised if some of the Singularity concepts start popping up in other places. My favorite: Singularity programs are closed; you can't dynamically load new code after the program begins executing. That means you can use static analysis to make strong guarantees about how the program will behave. Good stuff.
