CHICAGO -- It's been said badly written software is at the heart of today's security ills. But is it reasonable...
to believe code writers are capable of being made more security conscious in an enterprise setting?
Yes, says Gary McGraw, chief technology officer for software company Cigital Inc. of northern Virginia.
No, says Fred Cohen, principal analyst with the Burton Group of Midvale, Utah.
The two debated the issue at the Information Security Decisions conference Thursday. McGraw said software writers can be taught to create code with security in mind with help from fellow developers. Cohen believes a change in the code-writing culture can only begin in the halls of academia. The problem, he said, is that academia lacks the money and research to produce better programs so people can learn to write secure code from the start.
"We have a security problem that's getting worse, not better, because we're trying to deal with it by coming up with reactive solutions to protect broken software," said McGraw, who has co-authored four books on security, including Building Secure Software. "It doesn't work."
McGraw joked, "We have a plan to win the war but not manage the peace." And, he noted, "Those who build exploits are software people. Those who provide security generally aren't software people."
He said the best way to turn things around is for the corporate world to help raise code writers' security awareness. "We need people who build software to know about security through awareness," he said, telling the audience, "They need help from us; from other software builders."
Cohen, who has been credited with defining the term "computer virus" and pioneering defense technology used by more than half the world's computers, said he doesn't disagree with McGraw in theory. It's just that the theory isn't workable in today's world because "we don't know enough about software and more research is needed."
He said software will continue to be plagued by serious quality issues unless there are major breakthroughs in the universities in terms of money, research and program planning.
"Today we just can't do it all," Cohen said. "We need time and research and to train people. We need to create a good engineering discipline."
At the start of the debate, Andrew Briney, editor-in-chief of Information Security magazine, asked for a show of hands on whose position was right. A few hands went up for McGraw, a few more for Cohen and the majority was undecided. At the end, support for both positions appeared about even.
The truth is somewhere in the middle, if the reaction of one audience member is any indication.
"Both of them spoke about the need for awareness," said Leslie Peckham, information security advisor for Madison, Wis.-based American Family Insurance. "We hear a lot about how security is a people issue and how awareness is key. I think that's right, and that the two really don't disagree on the main issue. But I agree with [Cohen] that it begins in the academic world."