Secure coding? Bah!

"The root of the vulnerability problem is that programmers don't know how to code securely. If programmers were taught security in the first place, my job would be 100 times easier."

How many times have you heard this? All together now, repeat after me: Not gonna happen.

Don't get me wrong. Building secure software is a laudable goal. It boosts productivity and reduces costs. According to one study, it's 6.5 times more expensive to fix a security problem in the implementation phase than in the design phase of a software rollout. By the time you get to the maintenance phase, it's 100 times more expensive.

But we'll burn too much time and energy chasing a totally impractical objective. Secure programming is an oxymoron because none of the parties who could make it happen on a broad scale are properly "incentivized."

Industry leaders care about two things: how to make more money and how to spend less. The notion that secure programming helps them increase efficiency and cut costs in the long run ignores the fact that it's faster and cheaper to build crappy software to get the project rolled out immediately and help the company make its quarterly number.

Academia seems best positioned to influence this issue. But engineering and computer science curricula are developed by faculty who don't have the background, knowledge or interest in developing security coursework. Accreditation bodies aren't forcing the issue, and there's precious little research funding in this area. The result is a vicious cycle: No money, no research, no courses, no students, no workforce training and no matriculating Ph.D.s to break the cycle.

That leaves us with the government, which professes to want to change this problem but is hopelessly mired in bureaucracy. To date, the NSA has designated more than three-dozen universities as Centers of Academic Excellence in Information Assurance Education. Just ask the directors of these centers how much federal money they've actually received under this program, or how uniform their curriculum is compared to other centers. They're struggling, and they're frustrated.

Secure coding is yet another silver bullet. Risk reduction is all about reducing vulnerabilities, mitigating threats and lowering event costs. Secure programming, in theory, solves the vulnerability problem. But since the theory isn't ultimately practical, you have to concentrate your efforts on other vulnerability reduction efforts -- hardening, layering, patching -- while keeping your eye on emerging threats and managing incidents to reduce recovery costs.

About the author
Andrew Briney, CISSP, is editorial director of the TechTarget Security Media Group, which includes Information Security magazine, SearchSecurity.com and the Information Security Decisions conference.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Application and Platform Security,   Software Development Methodology,   Guest Commentary,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Software Development Methodology Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Guest Commentary Google hacking exposes a world of security flaws Eliminating the threat of spam email attacks Outsourcing IT services: Is it worth the security risk? How permanent is your storage solution? Honeypots can strengthen reconnaissance and lower intrusion noise Freedom of speech or lack of professional responsibility? This year compliance, next year control Senior security member explains his position on Abagnale Computer Security Institute's leader responds to Abagnale flap Spokesman or poster child? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.