Wednesday, December 7, 2016

Designing Software with a Hundred Times Less Vulnerability

Computer scientists have been researching how to dramatically reduce vulnerability in software and the only way really to be sure is to send the drones on a mission to Bluffdale but that won't likely happen soon.  (Science Daily:  Safer, less vulnerable software is the goal of new computer publication)


- Science Daily

The Rockhouse consideration of the chart:

Formal Methods are not clear.

System Level Security goes back at least thirty years but that never stopped programmers from writing spaghetti code.

Additive Software Analysis and, to some extent, that's IBM z/OS and banks hardly ever get hacked directly but rather subsidiary support systems are / were frequently installed with less security standards and, whammo, your credit cards are in Bluffdale going to the Dark Web.  The CIA / NSA doesn't hack them or not obviously because the banks belong to them anyway (i.e. that's one of the ways Washington borrows the money since they rarely pay for anything).

Domain Specific Networks may be talking about the chaos of computer languages which doesn't typically apply to systems programmers who usually only write assembler code because of the tight relationship with the operating system and introduction of compiler code brings a truckload of code you did not write and often smells.

Moving Target Defense may be a failover recovery with, for example, banks because the physical system is huge and won't move anywhere soon.  In the mainframe environment all of the big systems typically mirror data in real time to some off-site location and often a better recovery is to do that in two stages so the 'gold copy' in the repository or archive is immaculate until it's replaced by a pristine image from the intermediate site.

However, any dirt planted at the primary site will get propagated to all of them if it is not detected or prevented immediately.  That's typically the method for 'time bombs' but those come from the inside since the errant programmer needs time to escape whereas any hacker wants it right now.


In general, they're likely talking about small system code and we can commiserate with each other regarding the misery of using any of it since it's so damn unreliable.  The tightest code usually comes from individuals but that's also where you will often get the worst code.  Only the very best are capable of working in teams to develop code and IBM has been working on how to do that for well over half a century.

ALLTEL provides the software used in many banks and presumably it works when they deliver it but then the programmers start screwing with it so they can help the bank pretend it's different from any other.  That code was blowing up constantly and there was never a day in which they would miss bollixing a production run in some way.


Security is, of course, a major concern for almost everyone who uses technology these days, and Black said that the White House's original request for these approaches was part of its 2016 Federal Cybersecurity R&D Strategic Action Plan, intended to be implemented over the next three to seven years. But though ideas of security permeate the document, Black said the strategies have an even broader intent.

"Security tends to bubble to the surface because we've got adversaries who want to exploit weaknesses," he said, "but we'd still want to avoid bugs even without this threat. The effort to stymie them brings up general principles. You'll notice the title doesn't have the word 'security' in it anywhere."

- Science Daily

You can sure tell when something is written for the government, huh?  (larfs)

No comments: