Content

Cover story: Defining trust

In one of the chapters, Imam Samudra -- convicted of spearheading the attack more than three years ago that killed 202 people -- advises fellow radical Islamists on how to finance more terrorist acts by stealing confidential credit card information from exploitable programs in the United States, noting that American networks are not as impenetrable as one might think.

As terrorists develop more sophisticated methods, such as internet identity theft, to fund their killing sprees, most Americans find themselves in a powerless position. After all, watching for suspicious packages and behavior is one thing; addressing software holes that induce cybercrime is a different matter altogether -- one that must be addressed (and, ideally, won) by tool vendors and software manufacturers.

That is why Djenana Campara, co-chair of the Needham, Mass.-based Object Management Group (OMG)'s Architecture-Driven Modernization Special Interest Group, is leading her 600-member nonprofit consortium's groundbreaking initiative to create a framework that would calculate risk and detail the properties and components constituting trustworthy software. Experts are billing the new model -- which has the support of the American government -- as a unique perspective to software assurance, an undertaking that could change the security landscape as we know it.

As it stands now, without such a framework, the Sarajevo, Bosnia-native contends that "in some way, we are contributing to those terrorist acts," since no one is truly held accountable for the vulnerabilities that terrorists and cybercriminals are using to engage in illegal activity online.

Campara insists the burden must fall on tool vendors and software manufacturers to follow a best possible practice. Defense, she says, starts at the development level, long before programs hit the shelves and potentially become funding outlets for multimillion dollar terrorist plots.

"I feel I'm on a mission," the Ottawa resident says of the software assurance initiative. "I know what war and terrorism can actually do. And, at the same time, I know the mess of software and the holes in software that there are today that could be exploited by terrorists."

Once established, Campara believes, this agreed-upon framework would create standardized design criteria and automated processes for tool vendors and software makers to follow to ensure safe, reliable and robust products.

"Tool vendors will be building tools based on this framework because they will know that there is a market for them, while software suppliers will use those tools to improve and clean up software products," she says.

The result would be a universally recognized model for companies to prove to customers that the software they are buying is trustworthy and dependable, says Campara, who founded Ontario-based vulnerability detection company Klocwork in 2001 after spinning it out of Nortel Networks. She is now the tool vendor's chief technology officer.

Defining secure software

Currently, no standardized formula exists for a company to claim its software is any more reliable than a competitor's.

"We came together and said that in order for us to address this in a systematic way, we need to come up with a common framework where we would agree on the terminologies, the destinations, the claims and arguments, so that at the end of that, [vendors] can formally measure whether this particular piece of software is trustworthy enough. They can measure themselves and that, I think, is a big achievement," she says.

Both buyers and sellers would benefit, says Samuel Redwine, a computer science professor who spoke at an OMG software assurance information session in February.

"There's no standard way to convey evidence to somebody to say that this is why you should have confidence," says Redwine, who has taught for five years at James Madison University in Harrisonburg, Va. "It would separate out the people who have convincing arguments and evidence of why you should have confidence in software from those that don't, in a rather clear way."

A plethora of assurance tests exist, but absent is agreement over what secure software really entails, says Nancy Mead, a senior member of the technical staff at the Software Engineering Institute (SEI), part of Carnegie Mellon University in Pittsburgh.

"There is no single source for all of these issues to be addressed and no consensus in the field on what would constitute due diligence," she says.

If the framework initiative takes off, it could increase consumer confidence while galvanizing a patch-happy industry that always seems one step behind malware authors, according to some experts involved in the process.

As an example, in each of two recent critical updates, Oracle issued patches to correct more than 80 vulnerabilities. The fixes drew the ire of several analysts, who said the flaws could attract profit-driven hackers.

"None of us like the panic patch, so everyone would like the product to be better at the beginning," says Redwine. "On the other hand, nobody's going to suppliers and saying, 'Convince me it's secure.'"

Finding support

The framework initiative has support from the U.S. federal government.

"Every capability we have is software-enabled or software-controlled," explains Joe Jarzombek, director of software assurance under the Department of Homeland Security's National Cyber Security Division. "We're obviously a big stakeholder in this."

The government, therefore, recognizes the need for assurance and supports OMG's venture, both for its vetted and non-vetted software, he says. OMG, meanwhile, is looking at the government not as another reason for the initiative -- after all, the government is a software customer -- but as a motivator.

"Every other profession has standards," Jarzombek says. "We don't have that today from a safety or security aspect for software. This [framework] gives you a level by which companies can demonstrate more due care. They can show they followed the best practices."

"The realization is that people have not paid attention to software security and now we're seeing all these other things happen," adds Jarzombek, formerly a deputy director for software assurance at the Department of Defense. "We have exploitable software. It's difficult to secure networks when you build it with bricks that have holes in them."

Redwine understands why the government, now starting to recognize the significance of a public-private partnership, is throwing its support behind OMG's effort.

"The government has these needs,'' he explains. "They're worrying about security needs everywhere in our society, not just in the national security sector...so they really need some sort of solution to this stuff."

The U.S. government already requires national security software to undergo Common Criteria Certification testing before being implemented, Jarzombek says. But that process -- often viewed as time-consuming and resource intensive -- is subjective, making it far from the end-all, be-all on assurance, he contends.

"We still have vulnerabilities in those products that have been evaluated, so one would say it's not getting to the heart of it," he says. "[The OMG framework] looks at software in different ways that we're not currently looking at with Common Criteria."

The initiative's players -- comprising OMG's Software Assurance Special Interest Group -- include mostly industry leaders, but also government minds and university professors who have been meeting regularly to discuss the model, Campara says.

Open to suggestions

OMG is devising a request for proposal (RFP) for the model, which it expects to issue by November or December. Any OMG member can offer suggestions.

"I believe everybody has a big interest in participating in this," Campara says.

She believes software is caught in a Catch-22 -- as it becomes more advanced, it also becomes riddled with more holes. This makes the need for assurance advancements a huge priority.

"Large, complex systems are difficult to comprehend," she says. "Therefore, when developers are making changes to complex software, it is common that they unintentionally create a negative effect on the system. Large, complex systems are also difficult to fully test."

The average U.S. defect rate is six to seven flaws per thousand lines of code, Campara says, citing Software Assessments, Benchmarks and Best Practices by Capers Jones. The average software package contains 6,000 defects. As Campara likes to put it: even if just one percent of those defects contain security vulnerabilities, they offer 60 different opportunities for hackers to attack a system.

In developing a standardized process to analyze code, which is currently non-existent, the emphasis will focus attention on following valid coding processes, says Anthony Nadalin, distinguished engineer and chief security architect for IBM Software, which designs programs for the U.S. government.

"Regardless of how you write the code, you need a valid process for design development and testing," he says of the OMG proposal. "It's hard to determine that you have a vulnerability unless you know what you're looking for."

Traditional testing will not identify security problems since it looks for predictable user behavior, not unpredictable hacker attacks, adds Campara. What OMG's model would provide is a formal reference with "implementable specifications," she says.

An eventual market push

Although the model is not meant to be a burden -- vendors will be able to access it for free on OMG's website once completed -- experts are divided on how companies will react. It could present a difficult business decision, some believe.

SEI's Mead predicts some vendors may resist it, at least initially, because it could prove labor intensive.

"That's the risk," she says. "On the plus side, having standards by which to measure products from a software assurance perspective would be extremely beneficial. Right now, it's uneven in terms of what different organizations do in terms of evaluating processes. Some do evaluations that are extremely intensive, some hardly do anything at all."

Market forces ultimately will determine whether vendors take action, Mead contends.

"I think there are still a lot of organizations that are looking for small, cheap products they can use very quickly," she says. "To that extent, security isn't a high priority to them."

Often, safety is secondary to efforts to include novel features in a particular product or getting it to market ahead of competitors, Redwine says. Another reason why vendors may not latch on to the model -- it may expose shoddy security practices, he contends.

"Very few software companies can make a convincing case that their products are trustworthy," Redwine says.

But larger manufacturers, which likely already have a trustworthy evaluation process in place, will want to participate in the framework's creation so it will be "more synergistic with what they already have done," Mead says.

IBM's Nadalin agrees. "Your major companies are going to have something. Your 50- to 100-person companies may not have any processes to follow. We are in favor of this effort. We feel this could result in some significant outcomes for all vendors included."

He believes vendors willing to accept new practices tend to be more successful than their status quo competitors.

"The best outcome is that people from various companies that have done this will actually come to agreement, and maybe they'll be able to sell their tooling in that way," he says. "I find that companies that have adaptive styles seem to sell more products."

Campara, whose company stands to profit from the framework's development, hopes it is an easier sell than some think.

Her contention is that software suppliers, wanting to avoid the cost of issuing new patches or the embarrassment of admitting to a flaw, will conform to the new model.

"They will pay attention to this," she predicts. "It really hurts their brand once their software is deployed and vulnerabilities are found and they are exposed."

The ultimate goal, of course, is to close up the holes that could attract terrorists such as Imam Samudra, the Bali bombing orchestrator.

"Security today is very important," she says. "I don't think people are taking it seriously."

Her "mission" is to change that.

SETTING STANDARDS: Object Management Group

Founded in 1989, OMG is an open membership, nonprofit consortium that creates and maintains computer industry specifications for interoperable enterprise applications. The group lists 600 members, including Boeing, General Dynamics and Bank of America.

OMG's "flagship specification" is the multi-platform model-driven architecture, a software-design methodology that uses specification language to translate platform-independent models to platform-specific models.

OUT FROM UNDER: Making the world better

Djenana Campara knows that securing software is her calling.

She lost 11 family members – including her 83-year-old grandfather who was shot by a sniper – in the Bosnian War. The conflict ravaged her homeland from 1992 to 1995 and claimed the lives of roughly 200,000 people.

"I support anything that we can do to prevent any mass violence," the 44-year-old says. "One way of fighting [terrorism] is to be secure through all of our critical infrastructure. I've seen the tragedies when people die and what that does to countries."

Campara left Bosnia for Toronto in 1988 with her first husband and daughter, Maja, now 18, to escape a dismal economy. Raised in a household that promoted education, and a graduate of the University of Sarajevo, Campara secured a prestigious, but insecure, job as a software engineer in her native country.

"You never knew if you'd have a salary next month," she says. "They were usually very late [in paying employees]. It was very tough to be able to support a family."

She settled in Canada with no grasp of the English language. She taught herself through reading books, watching daytime television and practicing in front of her then infant daughter.

Campara, who speaks with a slight accent, did not abandon her country when she arrived in Canada. During the war, while working at Nortel Networks, she engaged in humanitarian and political efforts, including working with the U.S. Congress and the U.S. State Department on fact-finding missions, helping Bosnian refugees settle in Canada, and participating in United Nations negotiations. Campara, who re-married through common law in 1998, also helped found the International Parliamentarians Against Genocide in Bosnia.

Now, she is a leading lady in a male-dominated industry. Campara likes to recall an encounter she had with a male attendee at an Object Management Group meeting three years ago.

"He said, 'This is the first time in my life I've seen a CTO being a woman,'" Campara recalls. "I said, 'Honey, you've got to get out more often.' But, I found out that he was right." --Dan Kaplan

SOFTWARE ASSURANCE: Available by late next year

Object Management Group's (OMG) software assurance framework is an automated model that will allow suppliers to evaluate their products in a formal way, says Djenana Campara, co-chair of the group's Architecture-Driven Modernization Special Interest Group.

The framework, expressed algorithmically in terms of a meta-model, includes suppliers' claims and evidences about their products, determined through dynamic and static analysis testing, Campara says. The model also will take into account documented industry reference tests -- such as those from the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), and Common Criteria -- that express nonfunctional requirements for products.

"The meta-model will enable this information to be exchanged among different tools, which will enable vendors that specialize in certain languages, platforms or particular types of software systems to deliver solutions in conjunction with other vendors," according to an OMG white paper.

Ultimately, the model will calculate a piece of software's trustworthiness and risk, and allow it to be compared to other products -- essentially standardizing the process, Campara says.

"We are all on the same page," she says. "We all have the same understanding of what is required and what is the outcome. Two plus two is four, and there is no room for misinterpretation."

OMG -- a nonprofit consortium that produces and maintains computer industry specifications for interoperable enterprise applications -- expects to issue an RFP for the framework by November or December, Campara says. Responders, however, either must be existing members, or they must sign up on the OMG website to join.

The RFP submission process would close about four months later, with the framework scheduled to be accessible on OMG's website by the end of 2007 or early 2008.

Visit https://swa.omg.org to join OMG.

-- Dan Kaplan

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.