The National Security Agency analyzes a lot of software. They develop software configuration guides, provide system level guidance, and perform and fund research and development of information assurance hardware and software.
So when Richard Schaffer, director Information Assurance at NSA, says vendor mistakes continue to be the biggest problem with software, he knows what he is talking about.
Schaffer, who spoke Wednesday at the AFCEA cyberspace challenges conference in Washington, says while things have gotten better over the last five years, software and hardware still are too vulnerable to attack.
“In the rush to get new product to market, the testing is not complete so the consumer becomes the beta tester even for previously released products,” he says. “It’s the bugs, the defects, it’s unintended activity within the software itself. It’s the maturity of the tools used to test and evaluate software.”
Vendors still too often are seeing buffer overflow error, which is a commonly known bug that lets an adversary have access to exploit a software system, Schaffer says.
“How do we move past the point where these commonly known vulnerabilities are eliminated from software development or at least looked for in development practices so we get to a higher stage of maturity in software development,” he says.
Schaffer says one way is for industry to use open standards when developing software. This would let agencies and developers use tools like the Secure Content Automation Protocol (SCAP) more easily.
“How do we manage software in an enterprise environment so we are addressing new found vulnerabilities as quickly as possible and we are automating that process,” he says. “I will not recommend any software solution that is not built around open standards. It just makes it easier for the systems administrator to manage the network.”
NSA joined with the National Institute of Standards and Technology to develop SCAP tool to test for the Federal Desktop Core Configuration for Microsoft Windows XP and Vista.
The FDCC SCAP tool tests for about 99 percent of all settings, making it easier for agencies to gauge how they have implemented the operating system.
“You can’t expect a user or an overworked system administration to respond to all of the defects or patches that come out every day,” he says. “You need to be able to manage those across the enterprise so you are not relying on people to do that.”