Architecture, Network security, Strategy, Vulnerability management, Threats, Malware

Software assurance has reached a crisis point

November 15, 2010

The nation is in a crisis –  and it's not what might first come to mind in these turbulent economic times.

Much of the software that the U.S. government is running can be successfully exploited, said Dan Shoemaker, professor at the Center for Cyber Security and Intelligence Studies at the University of Detroit Mercy, speaking last week at SC World Congress in New York.

He is surprised there have been no major attacks yet on systems on which the public depends, such as power.

"Sooner or later, we have to start making it right," Shoemaker said.

UD Mercy is trying. The college recently completed a two-year project, funded by the U.S. Department of Defense, that created course content for educators.

Part of the curriculum will focus on steps typically left out of the software assurance lifecycle, including risk threat identification and ethical hacking (penetration testing) – both of which can help developers better understand how adversaries operate, Shoemaker said.

"It's not just about specifications and design," he said.

What makes the project so unique, though, is that educators can get their hands on the content (and an iPad) for free. So far, UD Mercy has distributed to universities roughly 30 of the tablet computers, containing the course content.

"There are no strings attached," said Jeff Ingalsbe, chairman of the computer information systems department at UD Mercy, who spoke with Shoemaker on a panel. "All you have to do is teach it."

He said it is time for common vulnerabilities, such as cross-site scripting and buffer overflows, to be solved.

"We train the trainer to train the trainer," Shoemaker said. "You're like Moses with the stone table."

Shoemaker said he hopes similar education makes its way to younger students, starting as early as middle school.

prestitial ad