Software can be more secure, says NIST, and we think we know how
Standards org's wish-list probably looks a bit like yours
The National Institute of Standards and Technology (NIST) has completed its long-running research into cutting software vulnerabilities and dropped the big envelope into the White House letterbox.
NISTIR 8151, Dramatically Reducing Software Vulnerabilities, first landed as a draft in July, and the final version dropped last week (PDF).
The document's brief was to look at approaches new to the software industry, and seek technical improvements to software development that could have a “dramatic” effect on software quality (for example, cutting the typical 25 errors per 1,000 lines of code by an order of magnitude); and could be achieved in a three-to-seven year timeframe.
Math-based tools are needed to verify code operation, the report says, and developers should modularise the code sufficiently so it doesn't crash just because one component fails (Vulture South knows this is obvious, but just how many vulnerabilities happen when you crash a process and get to root?).
Rather than operating in isolation, NIST says, code analysis tools need to be connected together, something the report refers to as “additive software analysis”. As noted in the report:
“IDEs sometimes do not offer an 'information bus' for tools to share software properties. Each tool must do its own parsing, build its own abstract syntax tree (AST), list variables with their scopes and attributes and 'decorate' an AST with proven facts or invariants. Some tools are built on a common infrastructure, such as LLVM or ROSE, so they share code, but they must still do much of the analysis over again. In addition, there are few standards that allow, for example, one parser to be swapped out for a new parser that runs faster.”
NIST's software security recommendations. Click to embiggen
Again, this may be obvious – but instead of slavishly using one programming language because it's the one you've got familiarity with (or trained personnel for), software development should choose programming languages on a best-for-task basis; and developers should have “evolving and changing tactics for protecting code that is the target of cyberattacks.” ®