Monday, March 17, 2008

Good Economist Article on Software Security

Last week the Economist ran their Technology Quarterly series and had a great piece on software security, quality. The title was "Software that makes software better."

The Technology Quarterly is a great read that covers quite a number of new/evolving areas of technology such as improvements in battery design/lifetime, new pico-projectors, and this time a great article about software quality and security.

The article is a quick run-through of integrating quality and security concerns into the development process through the judicious use of tools. The two major items of note from the paper were:

1. Integrating the tools with how developers usually work is key
2. We still don't really have any idea what we're doing :)

From a metrics perspective, the most important line was this one from NIST:

America's National Institute of Standards and Technology (NIST) is doing its best to create the software equivalent of the “generally accepted accounting principles” used in the financial world. Its Software Assurance Metrics and Tool Evaluation (SAMATE) project is intended to offer companies a way to quantify how much better their code will be if they adopt particular tools and programming languages. Paul Black of NIST says its first report, on static-analysis tools, should be available in April. The purpose of the research is “to get away from the feeling that ‘all software has bugs’ and say ‘it will cost this much time and this much money to make software of this kind of quality’,”

I added the emphasis above. That line from Paul is a pretty ambitious statement - though who knows whether the reporter really got the quote right. Overall the SAMATE project is an important aspect of increasing assurance, but I'll be surprised if we manage to boil things down to do this, this, and this, it will cost X, and you'll be Y-secure.

No comments: