back to article Software can be more secure, says NIST, and we think we know how

The National Institute of Standards and Technology (NIST) has completed its long-running research into cutting software vulnerabilities and dropped the big envelope into the White House letterbox. NISTIR 8151, Dramatically Reducing Software Vulnerabilities, first landed as a draft in July, and the final version dropped last …

  1. JeffyPoooh
    Pint

    "Software can be more secure..."

    That seems like a reasonable claim.

    An extraordinary claim would be, "Software can be less secure."

  2. Anonymous Coward
    FAIL

    Additive Software definition.

    While the concept is reasonable about communication, the analogy is rubbish, "you get a better suit if two different people take measurements"

    1. Charles 9

      Re: Additive Software definition.

      Yes, if both take THE SAME measurements and compare notes in case one made a mistake.

  3. Adam 52 Silver badge

    "instead of slavishly using one programming language because it's the one you've got familiarity with (or trained personnel for), software development should choose programming languages on a best-for-task basis;"

    We tend to pick the best tool for the job, but it does mean that I'm now supporting a system written in a mix of node.js, d3, bash, Ruby, Java, T-SQL, Postgres 8, Postgres 9, Mongo, Python 2.7, Python 3, Go, MDX, DAX, R, Cypher, SPARQL and some proprietary stuff.

    With the best will in the world I can't be an expert in them all.

    1. HmmmYes

      I dont envy anyone mainlining javascript and bash. And Java. Still at leas theres no Perl.

      Orgs need to think carefully about introducing any language into their systems and the ongoing support costs.

      Ive a number of systems where its been written by some flybynight using he nextbestthing. Nightmare.

      Me? Horses for courses. And never believe the hype - C99, Python3, ErlangOTP, Lua and the odd bit of C++13/Boost covers most bases.

    2. Whitter

      best-for-task basis...

      "Best for task" includes engineering concerns of "what do my (relevant) programmers already know", "how much time to take over this job" and "can the team maintain the system".

      Mixing languages is in many cases antithetical to all three (though not all obviously).

      1. a_yank_lurker

        Re: best-for-task basis...

        The academic "best for task" also assumes enough time (longer than the project dev cycle) to properly learn these languages.

    3. Destroy All Monsters Silver badge
      Windows

      > We tend to pick the best tool for the job, but it does mean that I'm now supporting a system written in a mix of node.js, d3, bash, Ruby, Java, T-SQL, Postgres 8, Postgres 9, Mongo, Python 2.7, Python 3, Go, MDX, DAX, R, Cypher, SPARQL and some proprietary stuff.

      If you are using node.js and Mongo, you are NOT picking the best tool for the job.

      It sounds more like your are picking the tool that is hot.

      And not even a single logic programming language?

  4. Pig Dog Bay

    Standards

    This XKCD springs to mind

    https://xkcd.com/927/

  5. Anonymous Coward
    Black Helicopters

    Start by actually writing your own code!

    I can't help wonder if a lot of problems aren't caused by the over(?)usage of libraries. Sometimes certain libraries even utilize other libraries so then you have to deal with multiple dependencies.

    Now, don't get me wrong: sometimes using a library or API is simply the only way to go. I'm not denying that fact. But sometimes people obviously don't use a certain library to gain certain functionality, but more so to gain easier functionality. Where the library they're using merely provides an easier way to utilize the (original) library which the programmer (in my opinion): should have been using.

    The problem with this approach is that you're only expanding possible risks. The more external libraries you use, the higher the risk that one of them could cause a problem.

    1. Tom 38

      Re: Start by actually writing your own code!

      I would argue the exact opposite. Using a library means taking code that has been designed to do a purpose and using it for that purpose. The library will have a clear and sensible API to achieve the goal you are attempting (and if it doesn't, don't use that library, use another or adjust your mentality).

      NIH is more of a problem to be honest. With NIH you get the same problems with wrapper libraries, except there is no well thought out interface there at all, and each wrapper of NIH code makes it increasingly more difficult to debug and determine what is happening. Worst, each wrapper will probably not be self contained in its own library, but inter-coupled with other code in your project.

      Also, as the author of more than one wrapper library myself, the purpose of a wrapper library is to take a complex and powerful library API and condense it to the point where it does the few things you need the library to do in a concise and clear manner. It makes writing code simpler whilst using the power of the original library.

      For instance, I have an application that has to sign, verify, decrypt and encrypt XML documents in a bunch of places. I wrote a small wrapper library around libxmlsec1 which provides the API needed by our application without needing to go in to the nitty gritty of how to make those calls solely using libxmlsec1. In fact, this is a great example as libxmlsec1 is itself actually a wrapper around openssl and libxml2.

      1. Charles 9

        Re: Start by actually writing your own code!

        "I would argue the exact opposite. Using a library means taking code that has been designed to do a purpose and using it for that purpose. The library will have a clear and sensible API to achieve the goal you are attempting (and if it doesn't, don't use that library, use another or adjust your mentality)."

        It could also be totally WRONG, which is the point. You're placing your trust in a third party; that third party can betray you, intentionally or not. Ever heard the phrase, "If you want something done right..."

        1. Tom 38

          Re: Start by actually writing your own code!

          It could also be totally WRONG, which is the point. You're placing your trust in a third party; that third party can betray you, intentionally or not. Ever heard the phrase, "If you want something done right..."

          Nah, BS. If you code to a library and the library is shit, you can replace it. Better still, you have a fixed interface between your code and the library code making it explicitly clear what has to be replaced.

          PS:

          In software development, the full phrase is "If you want something done right use the same library that everyone else uses for doing that and don't dick around re-implementing it yourself".

          1. Mike 16

            Re: Start by actually writing your own code!

            --- In software development, the full phrase is "If you want something done right use the same library that everyone else uses for doing that and don't dick around re-implementing it yourself". ---

            That way lies Heartbleed, and so many others. The combination of too many layers and dynamic libraries has meant that some developer you have never heard of has a bad day working on some library you didn't know you were using, and systems all over the world start rolling over for no good reason as soon as the "mandatory automatic update" happens. The first woodpecker to come around not only destroys your house, but the entire neighborhood.

            (Yes, it is not a universally good idea to "roll ones own", but Sturgeon's Law applies in spades to libraries and frameworks. Code to an actual _Standard_, for which there is more than one implementation, and of course "Trust, but Verify", if possible)

            1. Charles 9

              Re: Start by actually writing your own code!

              So how does this apply to a sensitive subject like, say, cryptography? You can't trust yourself because you're not knowledgeable on the subject and therefore are likely to do it wrong (and it's definitely NOT something you can just pick up by reading a book overnight), but you also can't trust anyone else because it's SUCH a sensitive subject anyone else is likely to be incompetent, corrupt, or both.

              1. Destroy All Monsters Silver badge
                Windows

                Re: Start by actually writing your own code!

                It's a judgement call.

                Write you own if you have time, money, and the skills.

                But beware of the freshman's error who think's capable of doing good and ends up reinventing the square wheel. And who forgets about testing and debugging. And that the maintenance problems just BEGIN once the code has shipped.

                Generally not worth it.

                In fact, don't do it. If you must, clean up an existing library.

                "The best code is no code."

                1. Charles 9

                  Re: Start by actually writing your own code!

                  The best code is no code...ONLY if you want to do NOTHING.

                  If nothing is not an option, then to turn a phrase, you better start coding.

                  "Write you own if you have time, money, and the skills."

                  But that's the problem I'm describing. When it comes to cryptography, few people really DO have the skills. Problem is, those that DO could really be double agents. So you're caught between Scylla and Charybdis.

      2. RosenneJ

        Re: Start by actually writing your own code!

        OK as long as the auditors that audit your software can also audit the libraries you use.

  6. Claptrap314 Silver badge

    Are you suggesting that it is better to roll your own crypto than use a trusted library because of Heartbleed? Buhahahahaha! Do you use a compiler? Do you run a distribution? We make constant use of library functionality all of the time because that is the ONLY way to move forward.

    There are certainly things to be wary of in using other people's code--but again, you never get anything done if you don't.

    And here I was going to comment on the impracticality of relying on formal methods...

    1. Charles 9

      It IS impractical because of scope. Formal proofs tend to require specific conditions to work (like the lack of direct-access code in seL4, meaning it chugs). Plus no matter how you slice it, a module only has a limited base of knowledge: what goes into it and what it does with it (Chinese Room Problem). Thus why ROP and other exploits simply exploit the standard behavior of these modules to create mischief: a gestalt exploit, I call it (worse than the sum of its parts).

  7. LewFoo
    FAIL

    Maybe Hire Professional Software Engineers

    How about starting by hiring actual professional software engineers, who have been formally trained in a university environment? Yeah, how about that instead of incompetents who have read one book on C++ and miraculously know everything there is to know about software systems design, complex data structures, bug-reducing coding practices, concurrent task issues (and other mind-blowing critical timing issues), error-proof inter-task communications, proper coding techniques, COMMENTS IN THE CODE!, small unit module design, object oriented DESIGN (not just coding), and did I mention data structures?

    I've been a professional software engineer (with a Computer Science degree) for more than 40 years, and it continues to amaze me that companies STILL think that they can save money by hiring astonishingly incompetent 'coders' who know literally NOTHING about formal computer software design techniques. And then the company managers are all naively surprised when their products fail in fantastically spectacular fashion.

    Oh yeah, and one more thing: stop letting electrical engineers write software! You wouldn't have a plumber fix your electrical wiring in your house, would you? He probably could, but you wouldn't want to have to make any modifications to the resulting horror show.

    </rant>

    1. Destroy All Monsters Silver badge

      Re: Maybe Hire Professional Software Engineers

      S'truth but ...

      > formally trained in a university environment

      It's not enough. I know.

      You need to be embedded in a coder sweatshop and suffer mightily for a few years to really get into hit. In fact, you need someone that is both a bit of a mathematician and of a woodworking artist and who can consciously walk the line between those two domains.

    2. Charles 9

      Re: Maybe Hire Professional Software Engineers

      "How about starting by hiring actual professional software engineers, who have been formally trained in a university environment?"

      You got the money? Because the PHB's can't be convinced even by the legal department.

  8. John Smith 19 Gold badge
    Unhappy

    Anyone recall that security bug in an 20 YO image processing library?

    Want to bet that was the first time it was found?

    I doubt it.

    Yes libraries allow you to leverage previous developers work and (depending on how good the fit) give massive gains in productivity.

    But designing a good library (sensible named functions. one name doing one job so you can decide what to string together) is damm tricky. OTOH writing crypto is damm tricky too.

    The trouble of course is that the ways that work (detailed software structure planning, code walkthroughs, scanning code for further examples of the same code failing) are time consuming and expensive. PHB's would rather "invest" the money in more new shiny features. Bugs? Who cares as long it's keeping place with competitor X.

  9. Calimero

    More secure than what?

    I suggest we make peace and all use COBOL. Anything can be written in COBOL - just please use some standards to prove this is wrong. It may take 10^8 *more* lines of code *than* if the best for task language will be used, but it will get done. Nice report!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon