Security and Privacy - Lecture 10, p1

Computer Science & Software Engineering
Security and Privacy (CITS3231) - Lecture 10

CITS3231 | help3231

Writing Secure and Robust Software

It's often claimed that the biggest problem with security is that practitioners are unclear as to what the problem is. In summary, it's insecure computer software.

The best network firewall provides only minimal defense if it still permits constrained access to unreliable software. Moreover, any firewall (either hardware appliance, in-kernel, or a user-level program) is written in software.

Similarly, the strongest encryption algorithms may only permit attackers to securely communicate with insecure software.

Using encryption on the Internet is the equivalent of arranging an armoured card to deliver credit-card information from someone living in a cardboard box, to someone living on a park bench.

Gene Spafford

Internet-enabled applications, including ones developed within companies, form the greatest category of security risks.

Each year, at least 80% of security advisories from CERT/CC (the Computer Emergency Response Team Coordination Center, www.cert.org) report security vulnerabilities caused by insecure software.

Moreover, again 80% of all vulnerabilities cannot be addressed using stronger encryption.

Adding ever stronger encryption is akin to placing a Yale lock on a paper bag.

Bruce Schneier

Computer & Network Security (CITS3231), Lecture 10, p1, 7th October 2008.