C. Warren Axelrod

Cybersecurity is Failing … per Spafford

Eugene Spafford, who is the highly-regarded executive director of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University, is well known for his outspokenness. This trait again came to the fore in a June 24, 2014 article “Security Expert: Industry Is Failing Miserably At Fixing Underlying Dangers” by Robert Westervelt, available at CRN at http://www.crn.com/news/security/300073238/security-expert-industry-is-failing-miserably-at-fixing-underlying-dangers.htm?itc=xbodyrobwes

In the article, Spafford is quoted as saying: “Software makers continue to churn out products riddled with vulnerabilities, creating an incessant patching cycle for IT administrators that siphons resources from more critical areas …” He makes further comments about the increasing attack surface and the inadequacy of security platforms.

Spafford talks to many of the thoughts I have expressed in various BlogInfoSec columns and elsewhere about the need to build security into software by including security requirements and considerations at each stage of the development lifecycle. As he puts it … “Without an investment in computer programming education and a major move to embed software security concepts early into the development process, the problems will continue to get worse.”

Unfortunately, Spafford does not come up with any actionable recommendations for how to ensure that we will develop more secure software. And there’s the rub. If there are not real incentives to produce more secure software, or biting disincentives if you do not do so, we will only see ongoing deterioration in the quality of software from a security perspective. In my book “Engineering Safe and Secure Software Systems” (Artech House, 2012),I support improved computer programming education, particularly with respect to cybersecurity and safety engineering, and strongly encourage management to insist upon incorporating security and safety requirements beginning with the earliest stages of a software project. However, I also recognize that this normative approach will have little impact without the force of law behind it, a position which many in our profession are reluctant to endorse. Nonetheless, governments must take on this challenge since it affects not only individuals but nations and the world as a whole.

It really is a “pay now or pay later” situation with the bill for remediation, as well as financial and less tangible losses from software lacking proper security and safety, increasing exponentially. At what point will those in power realize that this is a task that must be quickly addressed on a massive scale? That’s anybody’s guess. But occur it surely will. And then the desperate attempt to fix it all will begin.

Post a Comment

Your email is never published nor shared. Required fields are marked *