Wednesday, 16 October 2013

Software security and reliability is a public interest issue

In response to complaints that there are not enough computer-security-trained professionals in the market today:

http://www.reuters.com/article/2013/10/14/security-internet-idUSL6N0I30AW20131014

It is not just a question of skills and human resources: We also need better defensive tools and techniques, which need to be made freely available, ideally packaged with common software development tools like GCC or the LLVM compiler framework (and switched on by default)!

It would be a terrible waste if these "cyber warriors" (what a ludicrous title) all sat in isolated silos, tasked with protecting individual organizations, when the (stupendous) cost of this defensive work could be easily amortized across companies (with incredible cost savings as a result).

We need better tools to analyse complex systems, particularly software systems, for security vulnerabilities, so that those vulnerabilities can be closed. This includes static analysis tools; fuzz testing tools and vulnerability analysis tools.

We need better professional licensing and certification processes, so that we can better control the quality & reduce the vulnerability of the systems on which we all rely.

We need security-oriented programming conventions, and software registers, so that security software can do it's job more easily and more effectively.

We ALL have an interest in the reliability and trustworthiness of the complex systems that we rely on to power our infrastructure; our financial system; our workplaces. Nobody wants to gain competitive advantage because a competitor was targeted by a criminal. In a world dominated by unreliability and insecurity, it is only the criminals that win.

There is a HUGE incentive to work together here. In the public interest, let's do so.