Today I was able to participate in the 10th Annual AT&T Cyber Security Conference. The agenda for the conference can be viewed here. Regardless of how you may feel about AT&T the company, the web cast was quite informative and had quite a wide range of topics and speakers. One of the presentations that stood out in my mind was given by Dr. Edward Amoroso, AT&T Sr. VP and CSO. The reason that this particular presentation stood out is that he made an interesting comparison near the end of his presentation that I find inherently flawed. The question he proposed was when will software engineering have the same amount of structured processes and ensured quality as aircraft engineering?
In the first place I would never compare the two and I know few people that would. On the one hand, aircraft engineers have a huge responsibility in that if their product fails hundreds of people at a time could potentially loose their lives. I know of few systems, other than aircraft software, with such impacts. Secondly, aircraft engineers are given copious amounts of time to develop their product and "get it right". Software developers are generally told to get the product out as fast as possible and if it passes the functional tests it is considered finished and good to go. If aircraft engineers were given the same leeway, many more planes would be falling out of the sky.
Now to look at it from a security perspective, one of the leading causes of poorly implemented security controls, and flawed software in general, is a lack of sufficient design and development time. Secure software simply takes longer to write. It is a fact. Such software almost always has a larger code base as a similarly functional product with less security. This is only logical and should not be of any surprise to anyone as the implemented security controls require code. Subsequently, a software product with more security should take longer to write. Now I am not advocating the more security means more secure. Do not take the above statements in the wrong manner. I simply mean to say that software that has the appropriate security controls in place to protect the application and its data will have more code.
To address the quality issue, this has to be addressed at a managerial level. Management must come to the realization that quality software tests more than just functionality. An application, web or otherwise, needs to be evaluated for more than what it is designed to do. It needs to be tested for what it can do. Test for not only what developers designed it to do, but what can an attacker make it do that it was never designed to do. All of this testing does add additional time to the development schedule, but it is necessary time to ensure quality software.
So to answer Dr. Amoroso's question, software engineering will never have the same amount of structured process and quality assurance as aircraft engineering unless time is given to the developers and testers and emphasis is placed upon more than just functional testing. As long as software has to be developed today and deployed yesterday, flawed software will continue to be pushed out the door.
About Me
- Matt Presson
- I am an application security analyst and developer for a large Fortune 500 company where I perform security assessments, develop policies and procedures for securing all manner of applications, and provide guidance to developers throughout the SDLC. My personal life consists of caring for my family, reading books (when I am able), and generally enjoying life's experiences.
0 comments:
Post a Comment