According to the latest Carnegie Mellon’s Software Engineering Institute security report, last year there were more than ten thousand cases of computer attacks, intrusions, and plantings of malicious code from “unknown people” around the world. That’s up 86 percent from the previous year and 146 percent from two years ago. The increase of computer attack has raised the importance of managing security risk in every company as well as at the individual level. Everybody could be the target of attack, from the Chief Information Officer (CIO) of a large company to a highschool student in a small city, anyone with a personal computer or a smart-phone could be victim.
Few weeks ago, a president of a large bank in the U.S found that his computer was automatically sending important financial data to computers located in several countries around the world. In other word, he had been the victim of a “phishing attack” by hackers. Once they got inside his computer, they can use his personal computer as an instrument to capture any information they wanted and access to computers of people who work for his bank, because after all, he is at the highest level of management. How much damage is not known at this time, what hackers are doing with the information is also not determined yet but it could be severe.
There were similar problems happened to government officials around the world when they visited certain websites or opened an unsolicited emails from unknown persons. Of course, government officers never disclosed information about what happened to their computers but theses were all serious problems due to the nature of sensitive information stored in their computers. Today, it is no longer just hackers want to prove that they can do some damages, or criminals who want to steal personal bank and stock trading accounts, but also government agencies of foreign nationals who want to collect sensitive information too.
According to the security reports, every year thousands of information systems are accessed by unauthorized persons because their software developers have made programming errors. Most security issues are resulting from defects that are unintentionally introduced during software development. To reduce security problems, it is important that organization must reduce number of defects in software but current training, especially in computer science program is only focusing on teaching programming not “secured programming” where security is integrated into the software development life cycle rather than rely on testing after software already being built. Another problem is today, many software developers are trained in “training school” NOT university, these schools do NOT even teach basic programming structure but only on “how to code” to meet market demand. Students are taught a lot of “Tools and tricks” so they can code without any understanding of the fundamental.
The Software Engineering Institute (SEI) have analyzed thousands of programs all over the world and found that even experienced developers still inject many defects as they develop software. Typically an average developer injects one defect for every 10 lines of code. Although many are caught and removed by compilers and tests but some are still remain. Carnegie Mellon’s software studies conducted on thousands of software projects show that the average defect content of released software varies from about 1 to 7 defects per thousand lines of code. The interesting fact is over 90% of software security issues are caused by known defect types and the top ten causes account for about 75% of all vulnerabilities. Some problems are caused by sophisticated architectural and design issues such as inadequate authentication, invalid authorization, incorrect use of cryptography, failure to protect data, and failure to carefully partition applications. But most are caused by simple oversight that leads to defect types such as declaration errors, logic errors, loop control errors, conditional expressions errors, failure to validate input, interface specification errors, configuration errors, and failure to understand basic security issues. It is clear that software development practices today lead to defective software so it is important that developers must be trained in security programming but change in university training is very slow and that is why security is still a major issue.
To manage these security risks, information system manager must conduct security reviews often. They must know how to set up certain protection against threats by outsiders and ensure that their people is knowledgeable about security practices. The most common mistake of users is opening of unsolicited emails or click into unknown advertising information so it is essential that information system managers conduct trainings to remind users about the dangerous of these mistakes. The other better ways are improving the software development process and building better and more secured software, because it will produce software with fewer defects and less vulnerable to hackers attack. It is also important to identify any critical software components that control functions associated with security. Those components must be monitored closely throughout development and testing.
More than ever, “secured programming” training for all employees and having a security knowledgeable Information System Manager could be the best investment a company could make.
- Blogs of Prof. John Vu, Carnegie Mellon University