Code writers’ responsibility

By on

Last month, David Litchfield, managing director of security software company NGS Software, wrote an open letter to Bugtraq criticizing the way Oracle had handled patching a series of flaws in its database products. He urged Oracle's customers to complain to the company demanding "a better security response."

Litchfield said the company took up to eight months to deliver a series of patches that still did not fix the problem.

He's not the only one having problems with the software industry. Former White House cybersecurity adviser Howard Schmidt also laid into developers and called on governments to make software developers personally liable for the security of the code they create. He told the SecureLondon 2005 conference that software developers "should be held personally accountable for the security of the code they write."

But others said we should concentrate on fixing bugs, rather than apportioning blame. "The emphasis should be on resolving flaws at the quality-assurance (QA) testing stage, so they never find their way into the final release of a software product," said Yochi Slonim, CEO of application testing company Identify.

Gunter Ollmann, director of X-Force, Internet Security Systems, agreed, saying: "Software companies have to refine their QA testing to include security efforts."

He said the security of software is generally getting better. This was due in part to pressure from researchers such as Litchfield, and the media highlighting problems.

For instance, Microsoft, once viewed as the worst source of insecure products, is now regarded by many as a model of vulnerability handling. It has opened clear channels of communication with security researchers and its code has improved.

But Litchfield said Oracle has much progress to make. "What is apparent is that Oracle has no decent bug discovery/fix/response process; no QA; no understanding of the threats; no proactive program of finding and fixing flaws. Is anyone in control over at Oracle HQ?"

Simon Perry, vice-president of security at Computer Associates, said the software industry needs to take this subject seriously: "Vendors have a responsibility to work with researchers. This software underpins the economy of the developed world. It has to get better and it won't do so if you ignore the problem."

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?