Secure Coding Standards Needed for Cyber Resilience
On March 15, 2016 the Consortium for IT Software Quality (www.it-cisq.org), with support from the IT Acquisition Advisory Council (www.it-aac.org), hosted IT leaders from the U.S. Federal Government to discuss IT risk, secure coding standards, and areas of innovation to reduce the risk of Federal software-intensive systems. The following three themes were repeatedly emphasized by speakers and panelists and underline the need for secure coding standards in cyber resilience efforts.
Three alarms from the March 15 Cyber Resilience Summit tying code quality to secure coding standards
1) The current level of risk in Federal IT is unacceptable and processes must change.
Cyberattacks are becoming more prevalent and complex, and the nation’s IT systems, both public and private, are unprepared, explained Curtis Dukes, director of the National Security Agency’s Information Assurance Directorate. He scores the government’s national security systems at 70 to 75 percent, a ‘C’; the government as a whole gets a ‘D’; and the nation as a whole receives a failing grade, an ‘F’. The safest position is to assume your systems already have malware, remarked Dr. Phyllis Schneck, Deputy Under Secretary for Cybersecurity and Communications for the National Protection and Programs Directorate (NPPD), at the U.S. Department of Homeland Security. Both public and private IT organizations are far from the security and resilience required for dependable, trustworthy systems.
2) Poor quality code and architecture makes IT systems inherently less secure and resilient software
Several recent studies found that many of the weaknesses that make software less reliable also make it less secure, in that they can be exploited by hackers while at the same time making systems unstable. In essence, poor quality software is insecure software. Too often security is not designed into the software up front, making it much harder to secure and protect the system. One reason for this is that poor engineering practices at the architecture level are much more difficult to detect and costly to fix.
3) Software must move from a “craft” to an engineering discipline
Software development is still too often viewed as an art. In order to produce secure, resilient systems, software development must mature from an individually practiced craft to become an engineering discipline. Coding practices that avoid security and resilience weaknesses can be trained and measured during development. For comparison, civil engineering has matured to where measurement plays a dominant role in every step of the process. Civil engineers use standard measures to ensure that structures are designed, built, and maintained in a manner that is safe and secure. The CISQ standards provide one means of measuring the structural quality of a system as the software is being developed, thus helping software transition to a more engineering based discipline.
Presentations from the Cyber Resilience Summit are posted to the CISQ website at http://it-cisq.org/cyber-resilience-summit/. The public is invited to join CISQ to stay current with code quality standards and receive invitations for outreach events.
CISQ is consortium co-founded by the Software Engineering Institute (SEI) at Carnegie Mellon University and the Object Management Group® (OMG®) in the IT industry developing standard, automatable metrics for automating the measurement of non-functional, structural aspects of software source code, such as security, reliability, performance efficiency, and maintainability. Weaknesses in these attributes can lead to costly system outages, security breaches, data corruption, excessive maintenance costs, un-scalable systems, and other devastating problems. Now approved as internationals standards by the Object Management Group, the CISQ measures provide a common basis for measuring software regardless of whether it is developed in-house or on contracts.