FYI ... ________ jose nazario, ph.d. [EMAIL PROTECTED] http://monkey.org/~jose/ http://infosecdaily.net/
http://www.computerworld.com/securitytopics/security/story/0,10801,97988,00.html By Grant Gross DECEMBER 02, 2004 IDG NEWS SERVICE WASHINGTON -- Software vendors need automated tools that look for bugs in their code, but it may be a decade before many of those tools are mature and widely used, said the former director of cybersecurity for the U.S. Department of Homeland Security. Creating software assurance tools was one long-term focus of the DHS National Cybersecurity Division during Amit Yoran's tenure there, Yoran said today during the E-Gov Institute Homeland Security and Information Assurance Conferences in Washington. About 95% of software bugs come from 19 "common, well-understood" programming mistakes, Yoran said, and his division pushed for automation tools that comb software code for those mistakes. "Today's developers ... oftentimes don't have the academic discipline of software engineering and software development and training around what characteristics would create flaws in the program or lead to bugs," Yoran said. Government research into some such tools is in its infancy, however, he added. "This cycle will take years if not decades to complete," he said. "We're realistically a decade or longer away from the fruits of these efforts in software assurance." Yoran, who resigned from his DHS position in September after being on the job for a year, hinted at why he left, but sidestepped a question about the reasons. In the private sector, he had a "real objective" on how to move forward, he said. "When you move into a strategic and somewhat ill-defined role of 'protect cyberspace,' that's a very difficult mission to get your arms around," he said. "You show up to work on a Monday morning, you're ready to put your fingers to the keyboard, you've got a team of folks working with you, what do you do ... to secure cyberspace from within the Department of Homeland Security?" Most Internet resources are owned by the private sector, and the U.S. government has been hesitant to pass cybersecurity mandates, noted Yoran, former vice president of worldwide managed security services at Symantec Corp. With no operational or regulatory control over most of the Internet, the goal of securing cyberspace at DHS was difficult, he said. Asked if that lack of authority was a reason for leaving the post, Yoran said his successor will need to "look at go-forward issues" in cybersecurity that the division can best address. Yoran, however, defended President George W. Bush's National Strategy to Secure Cyberspace, released in February 2003. The strategy, which sets out five major cybersecurity recommendations, did not advocate regulation, and the White House took the right approach in developing those recommendations by consulting with private industry, Yoran said. "As the Department of Homeland Security ... implementing the national strategy is not our job; it's not our responsibility," he said. "It's the nation's job, it's the international technology community's job and responsibility. We can just help." The national strategy and efforts at DHS can help move cybersecurity efforts beyond the current "cat and mouse game" of finding vulnerabilities, assessing whether to patch them, and patching them when the problems become painful to companies, Yoran said. He predicted a "radical transformation" in the cybersecurity field within two to four years as more companies and government agencies accept technologies such as Web services, remote Internet access and RFID (radio frequency identification) tags. "In the next two to three years, you won't be able to define where your network begins and ends," Yoran said. "The paradigms we rely on today for protecting our information -- stronger firewalls, more accurate intrusion detection -- those types of technologies will be required, but they will be solving an increasingly small percentage of the challenges that are going to be facing us."