Our vBulletin migration is complete.
Welcome vBulletin users! All content and user information from the Micro Focus Forums (vBulletin) site has been migrated to this site. READ MORE.

The U.S. Government Acts on Software Security

jacobw Absent Member.
Absent Member.
0 0 2,662

One week after President Obama signed the 2013 National Defense Authorization Act, which lays out strong new requirements for software security assurance on many federal systems, the Department of Homeland Security US-CERT released Alert TA13-010A advising users to universally disable Oracle’s ubiquitous Java platform in web browsers. The alert cites a widely-exploitable vulnerability reported on Thursday, but also comes in the year after Java surpassed Adobe Reader as the most exploited software worldwide representing roughly half of total attacks.

 

While the recommendation to disable software is unusual for US-CERT, the inconvenience to users is much less than if a similar alert were issued for other popular targets, such as Adobe Reader or Microsoft Internet Explorer, because modern sites rarely use Java in the browser (Applets). Disabling Java could cause problems for users of legacy web applications, especially in outdated enterprise environments, but the guidance won’t interfere with the activities of most users.

 

Disabling Java is good security advice for now, but it’s also a red herring. The real issue is the impact insecure software has on our businesses and lives. In the public sector the 2013 National Defense Authorization Act requires many federal systems to be reviewed for vulnerabilities using automation technology, such as static analysis, and that their owners develop remediation strategies and track the results for detailed reporting to Congress after a year. What gets measured gets done!

 

Over the last decade the software industry gradually accepted that security is a core requirement of good software and not something that can be bolted on. It’s time to for the private sector to take the same approach as public sector: treating software security more like science. The right mixture of technology, security intelligence, and process is needed to build secure software, but without specific metrics for success and an organizational willingness to change, achieving software security assurance will remain elusive.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.