Microsoft recently held a get-together for educators, and it was refreshing to see that a key focus was on security. This is not overly surprising as Microsoft does have a major focus on security. They also used this opportunity to announce that they were giving away $1 million in grants to support advances in secure software development. At face value, that sounds great. The reality is that this is likely going to be a big waste of money.
Let's face it, little research actually makes a measurable improvement in its targeted field. As a matter of fact, it isn't supposed to. Optimistically, academic research is generally to examine previous research in some other way. There are some great innovations, but almost all of them rot in some obscure journal, read by a few hundred researchers and students.
However, this money from Microsoft seems to be intended to create a few "centers of excellence" for secure software development. These centers will supposedly turn out experts in secure software implementation. In my opinion, even if you assume that this will accomplish such a noble goal, it's still a waste of money.
Yes, I know. My statements are sacrilege to the security community and especially the academic community. However, think about it. Does the problem of generally poorly written software, from a security perspective, result from not having enough security experts? You security experts may think so, but the reality is that the problem results from the hundreds
Do you think that a few dozen experts in writing secure software are going to make significant improvements to the overall problem? You have to be delusional to think so.
What will significantly improve the overall state of security is getting the average programmer to write secure software. Centers of excellence do not do that. They sound good for PR purposes, and maybe they will make a few notable improvements in design principles. However, unless they can scale to reach every possible software development effort, or even a measurable number of them, they have little practical value.
So what should Microsoft do with its $1 million? First, don't give it to experts in the security field. Now I moved from sacrilege to heresy. To teach the largest number of people how to develop secure software, you have to get to the people who write software engineering textbooks for college courses. Since it seems like there are probably less than a dozen books on the subject commonly used in colleges, a very small set of authors can be targeted.
It is my strong recommendation that Microsoft find those authors and give them a "grant" to update their textbooks. The grant would mandate adding a new chapter to their book specifically on secure software development.
This is actually a double win. Students can no longer buy used textbooks because of the new version, so the authors will get more royalties. For the profession, more software developers will have the appropriate basic training. Yes, I know this isn't perfect. But it does reach exponentially more programmers than any center of excellence ever will.
The fact is we don't need revolutionary research to improve poor development practices. We need to get the software developers to apply the best practices that have been around for more than a decade.
About the author
Ira Winkler, CISSP, CISM, has almost 20 years of experience in the intelligence and security fields and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.
This was first published in November 2004