Perhaps the ultimate key to reducing Internet vulnerability is building adequate security into software code as it is being created. This is far more efficient and simply makes more sense than scrambling later to put obstacles in front of inadequately protected software.
That's why it's good to see that the Computer Emergency Response Team (CERT) and Fortify Software automate the process. The companies say that CERT's C and C++ Secure Coding Standard will run on the source code analyst tool from Fortify. The tool will be distributed for free in order to allow in-house testing firms and other vendors to adopt it. CERT is part of the Software Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh.
Other new tools are available. Last month, for instance, Coverity introduced what it says is the first software analysis engine that uses Boolean satisfiability. The release says that the SAT engine creates a software DNA map -- which the company says is a highly accurate representation of the software -- to enable identification of complex defects in the source code. Current software tools, the release says, rely on data flow analysis and multiple checkers to find defects. The SAT engine, on the other hand, uses Boolean values (true and false) and Boolean operators (and, not, or) to find problems in the model it has created.
The introductions are part and parcel of an overall positive trend. Perhaps the most startling step in the right direction is the steady improvement of code emanating from Microsoft, the company that security pros used to love kicking around. PC World, reporting from the company's BlueHat meeting, said the reaction of security researchers was almost entirely positive. One researcher called Vista "arguably the most secure closed-source OS available on the market" and another suggested it may make sense for researchers to look elsewhere for problems. A third mentioned that Web-based services and virtualization may be more fertile fields for researchers.
Microsoft said that it will release the source code for the .NET 3.5 and VS 2008 releases this year. Descriptions of the move -- which is discussed at Scott Guthrie's blog -- are by their nature highly technical. The bottom line is that it will provide powerful new tools to developers and that security is an area that will be enhanced by the move. Guthrie is the general manager of the Microsoft .NET Framework in Microsoft's Developer Division.
This un-excogitate posting summarizes an earlier article at MSDN Magazine that delineates eight rules software writers should follow in order to create secure code. On the list: "never trust data"; use threat modeling and keep abreast of emerging threats and vulnerabilities; and use fuzz input testing. (A response to the post said these three were the only worthwhile tips.)
Software code is, of course, highly vulnerable. By the same token, protecting it more consistently will have a chilling effect on the community of criminals who attack it. For that reason, it's terrific to see companies and organizations making the extra effort to include security at the code's most basic and fundamental levels.