Microsoft tossing money away

Microsoft recently held a get-together for educators, and it was refreshing to see that a key focus was on security. This is not overly surprising as Microsoft does have a major focus on security. They also used this opportunity to announce that they were giving away $1 million in grants to support advances in secure software development. At face value, that sounds great. The reality is that this is likely going to be a big waste of money.

Let's face it, little research actually makes a measurable improvement in its targeted field. As a matter of fact, it isn't supposed to. Optimistically, academic research is generally to examine previous research in some other way. There are some great innovations, but almost all of them rot in some obscure journal, read by a few hundred researchers and students.

However, this money from Microsoft seems to be intended to create a few "centers of excellence" for secure software development. These centers will supposedly turn out experts in secure software implementation. In my opinion, even if you assume that this will accomplish such a noble goal, it's still a waste of money.

Yes, I know. My statements are sacrilege to the security community and especially the academic community. However, think about it. Does the problem of generally poorly written software, from a security perspective, result from not having enough security experts? You security experts may think so, but the reality is that the problem results from the hundreds of thousands of software developers out there who have no clue about writing secure software.

Do you think that a few dozen experts in writing secure software are going to make significant improvements to the overall problem? You have to be delusional to think so.

What will significantly improve the overall state of security is getting the average programmer to write secure software. Centers of excellence do not do that. They sound good for PR purposes, and maybe they will make a few notable improvements in design principles. However, unless they can scale to reach every possible software development effort, or even a measurable number of them, they have little practical value.

So what should Microsoft do with its $1 million? First, don't give it to experts in the security field. Now I moved from sacrilege to heresy. To teach the largest number of people how to develop secure software, you have to get to the people who write software engineering textbooks for college courses. Since it seems like there are probably less than a dozen books on the subject commonly used in colleges, a very small set of authors can be targeted.

It is my strong recommendation that Microsoft find those authors and give them a "grant" to update their textbooks. The grant would mandate adding a new chapter to their book specifically on secure software development.

This is actually a double win. Students can no longer buy used textbooks because of the new version, so the authors will get more royalties. For the profession, more software developers will have the appropriate basic training. Yes, I know this isn't perfect. But it does reach exponentially more programmers than any center of excellence ever will.

The fact is we don't need revolutionary research to improve poor development practices. We need to get the software developers to apply the best practices that have been around for more than a decade.

About the author
Ira Winkler, CISSP, CISM, has almost 20 years of experience in the intelligence and security fields and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Application and Platform Security,   Software Development Methodology,   Guest Commentary,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Software Development Methodology Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Guest Commentary Google hacking exposes a world of security flaws Eliminating the threat of spam email attacks Outsourcing IT services: Is it worth the security risk? How permanent is your storage solution? Honeypots can strengthen reconnaissance and lower intrusion noise Freedom of speech or lack of professional responsibility? This year compliance, next year control Senior security member explains his position on Abagnale Computer Security Institute's leader responds to Abagnale flap Spokesman or poster child? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.