Security experts hit back at presidential advisor

Security experts have hit back at an advisor to the US's Homeland Security Council and President Bush for criticising the software industry for producing flawed code.

At the RSA Security conference in San Francisco last week, retired lieutenant-general John Gordon lashed out against software developers for not producing secure code; security experts have said Gordon's comments "missed the point" and his ideas are "not feasible".

During his keynote speech, Gordon questioned how much effort developers put into ensuring their code is watertight. "It cannot be beyond our ability to learn how to write and distribute software with much higher standards of care and much reduced rate of errors and much reduced set of vulnerabilities," he said.

Although Gordon's keynote followed a day after that of Microsoft's chairman Bill Gates, his comments were aimed at the entire software industry rather than at the Redmond giant, which is often criticised for not paying enough attention to security.

According to Gordon, if developers could reduce the error and vulnerability rate by a factor of 10, it would probably eliminate around 90 percent of security threats: "Once we start writing and deploying secure code, every other problem in cybersecurity is fundamentally more manageable as we close off possible points of attack," he said.

However, Jay Heiser, chief analyst at IT risk management company TruSecure, said Gordon is missing "the big picture". He said: "Even if we brought angels from heaven down to do our coding, if they are following existing specs, they are going to continue creating an infrastructure that is innately vulnerable to fraud, deceit and manipulation. How will more bullet-proof code reduce the incidence of spam, phishing, child porn or viruses?"

Richard Starnes, director of incident response at Cable & Wireless, said that although security vulnerabilities can be reduced, many of the security problems arise because so many users and operators do not have the necessary training: "The average user in a lot of incidents is responsible for security breaches, either knowingly or unknowingly. We need to start training a wider population about safe computing procedures and how to do things like minimal patch installs," he said.

TruSecure's Heiser admitted that recent worms such as Slammer and Welchia have taken advantage of bugs that would have been prevented by "human perfection" in the art of coding, but he said viruses often get into corporate networks because of the human element: "Most viruses take advantage of the normal functioning of workstations. If malware is exploiting a vulnerability, it's one between the ears of the users who have been given responsibility for maintaining security, but have not been trained for it," he said.

Starnes argues that even though it may be possible to reduce 90 percent of the vulnerabilities in today's software, it would not be financially viable. He points out that neither software developers nor users want patches because they cost money and time to develop and deploy: "We can reduce bugs by a factor of 10 -- that is easy for a government official in a non-commercial capacity to say, but we are talking about money here. Releasing patches is not a money-making proposition for any company. They do not want to do it and they do not do it out of the goodness of their heart, they do it to protect their customers and reduce their liability," he said.

But not all of Gordon's comments were criticised. In his keynote, Gordon also said wireless network hardware manufacturers should try harder to make security easy to deploy: "The industry needs to make it easy for users like me -- who are reasonably technically competent -- to employ solid security features and not make it so tempting to simply ignore security."

"I applaud the general's comments on usability of security devices. This is spot on, and probably a more fruitful area of effort than trying to improve coding practices," added Heiser.