One week after President Obama signed the 2013 National Defense Authorization Act, which lays out strong new requirements for software security assurance on many federal systems, the Department of Homeland Security US-CERT released Alert TA13-010A advising users to universally disable Oracle’s ubiquitous Java platform in web browsers. The alert cites a widely-exploitable vulnerability reported on Thursday, but also comes in the year after Java surpassed Adobe Reader as the most exploited software worldwide representing roughly half of total attacks.
While the recommendation to disable software is unusual for US-CERT, the inconvenience to users is much less than if a similar alert were issued for other popular targets, such as Adobe Reader or Microsoft Internet Explorer, because modern sites rarely use Java in the browser (Applets). Disabling Java could cause problems for users of legacy web applications, especially in outdated enterprise environments, but the guidance won’t interfere with the activities of most users.
Disabling Java is good security advice for now, but it’s also a red herring. The real issue is the impact insecure software has on our businesses and lives. In the public sector the 2013 National Defense Authorization Act requires many federal systems to be reviewed for vulnerabilities using automation technology, such as static analysis, and that their owners develop remediation strategies and track the results for detailed reporting to Congress after a year. What gets measured gets done!
Over the last decade the software industry gradually accepted that security is a core requirement of good software and not something that can be bolted on. It’s time to for the private sector to take the same approach as public sector: treating software security more like science. The right mixture of technology, security intelligence, and process is needed to build secure software, but without specific metrics for success and an organizational willingness to change, achieving software security assurance will remain elusive.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.