How to Create Less Vulnerable Software

Wednesday, December 14, 2016 @ 02:12 PM gHale

121416NIST

It is possible to create software with 100 times fewer vulnerabilities than we do today.

To get there, coders can adopt the approaches compiled in a new publication from the National Institute of Standards and Technology (NIST).

RELATED STORIES
A New Look at Cybersecurity
Securing Hazardous Liquids Transfer
Helping Small Businesses Boost Security
Guide to Cyber Threat Info Sharing

The 60-page document, “NIST Interagency Report (NISTIR) 8151: Dramatically Reducing Software Vulnerabilities,” is a collection of the newest strategies gathered from across industry and other sources for reducing bugs in software.

While the report is officially a response to a request for methods from the White House’s Office of Science and Technology Policy, NIST computer scientist Paul E. Black said its contents will help any organization that seeks to author high-quality, low-defect computer code.

“We want coders to know about it,” said Black, one of the publication’s coauthors. “We concentrated on including novel ideas that they may not have heard about already.”

Black compiled these ideas while working with software assurance experts from private companies in the computer industry as well as several government agencies that generate code.

Vulnerabilities are common in software. Even small applications have hundreds of bugs.

Lowering these numbers would bring advantages, such as reducing the number of computer crashes and reboots users need to deal with, not to mention decreasing the number of patch updates they need to download.

The heart of the document is five sets of approaches, tools and concepts that can help, all of which can be found in the document’s second section, Black said. The approaches are under five subheadings that, despite their jargon-heavy titles, each possess a common-sense idea as an overarching principle.

These approaches include: Using math-based tools to verify the code will work properly; breaking up a computer’s programs into modular parts so if one part fails, the whole program doesn’t crash; connecting analysis tools for code that currently operate in isolation; using appropriate programming languages for the task the code attempts to carry out; and developing evolving and changing tactics for protecting code that is the target of cyberattacks.

“Security tends to bubble to the surface because we’ve got adversaries who want to exploit weaknesses,” Black said, “but we’d still want to avoid bugs even without this threat. The effort to stymie them brings up general principles. You’ll notice the title doesn’t have the word ‘security’ in it anywhere.”



Leave a Reply

You must be logged in to post a comment.