Typing saves your skin


Typing saves your skin

From: Peter B. Ladkin <ladkin_at_xxxxxx>
Date: Thu, 29 Mar 2007 09:26:08 +0200
Message-ID: <460B6A10.2000309@xxxxxx> 
According to a news item from the Institution of Engineering and Technology,
a team organised by the SANS Institute analysed 7000 detected security
vulnerabilities from 1996 (they say "the 7000" but don't say further how they
were identified), and found that 85% of them were caused by three
phenomena:
	* Failure to check user input
	* Allowing buffer overflows (that is, failing to hinder them)
	* Handling integer type checks or overflows incorrectly

SANS spotted an opportunity and put together a course and practical exam
about secure programming, leading to a certificate.
.
A few observations.

1. Security is not taken as seriously as safety, despite that computer security
problems probably cause more total resource damage than accidents. I have
long believed, with others, that the phenomena in both areas are similar and
thus that similar techniques may be used to assure systems vulnerable to
these sorts of phenomena. Devising a threat model is very similar to hazard
identification, but whereas hazard identification is partly internationally normed,
people programming software on networks, especially on the basis of the WWW,
rarely have anything like a professional engineering qualification or status and
do not feel as bound to discover and adhere to norms that cover their tasks.

It might help to revise international standards on safety to use the word
"dependability" instead of safety, and to use the "specified loss" formulation of
the notion of accident rather than the "physical injury or death" formulation, and
then security vulnerabilities would be covered. Then again, rather than leading
to a higher standard of programming, this might instead just lower the standard of
dependability-case argumentation.

2. Working in a strongly typed programming language would have avoided 85%
of the security vulnerabilities discovered (according to some unspecified
criteria) in 1996.

It is astonishing to me that 47 years after strong typing was invented and recognised,
and after the Turing Award has been presented to such proponents as Dijkstra, Hoare,
Wirth, Dahl, Nygaard and Naur, professionals not using this technology caused
85% of significant errors in a specific field of computer science. I think it is disgraceful.

One could always hope that things have changed in the last 10 years. But obviously
the SANS Institute doesn't think so.

3. The social phenomena in program construction are overwhelmingly more influential
than technical progress. Nothing else could account for phenomenon 2.

Source URL for this story is
http://www.iee.org/oncomms/sector/informationpro/SectionNews/Object/92520512-96A3-7299-40BC84823F900F5F

PBL

-- 
Peter B. Ladkin, Professor of Computer Networks and Distributed Systems,
Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de
Received on Thu 29 Mar 2007 - 08:23:38 BST