There is a clear correlation between the irresponsible disclosure of software vulnerabilities and the appearance of worms, says James Whittaker. Whittaker, chief scientist at application security vendor Security Innovation, says there have been several cases in which worms wouldn't have been written if the bug hadn't been disclosed.
So what to do? Whittaker advocates for CSOs to share information about bugs with software vendors so that they can fix them. If CSOs act collectively, they can improve software quality by disclosing such vulnerabilities, says Whittaker, who is also a computer science professor at the Florida Institute of Technology. CSO (US) departments editor Kathleen S. Carr talked with him about responsible disclosure, government regulation and why he wouldn't want to be a CSO.
CSO: Why are vendors taking software vulnerabilities more seriously now?
James Whittaker: In the early 1990s, what sold software was feature richness. People didn't care about quality. In the late 1990s, the focus shifted to time to market. The features had caught up to each other. Internet Explorer and Netscape were exactly the same. Now, the only distinguishing factor is quality. But quality costs a lot, and you can't charge for it. People pay more for extra features. So vendors latched on to security as the one aspect of quality that they could charge for. Worms and exploits cost companies a lot of money. So security affects the bottom line. Vendors are focusing on security because they see it as immediate cost savings. They are advertising security. It sells copies. It's a market differentiator.
Does government need to regulate software?
I think that'd be disastrous. We've made massive strides for 50 years in software quality and security, when compared to any other industry. The government needs to look at us in that context. In the 1980s and 1990s, the US government developed a great deal of its own software and contracted out custom development - so-called GOTS [government off-the-shelf] software. They even prescribed it to be written in Ada, a language specifically designed for error avoidance and largely shunned by commercial entities.
In the mid-'90s, the government abandoned Ada and GOTS, and pushed to buy more commercial off-the-shelf software to increase quality and interoperability and to decrease cost. To me, this was an admission that - despite superior programming languages (Ada over C), and more money spent on development - commercial software developers were ahead of government developers. Since then, government's reliance on commercial, off-the-shelf software has continued.
I hate the idea of being regulated by someone who has admitted that they can't get it right.
What can CSOs do to demand disclosure?
Those poor bastards. I've been recruited by Fortune 50 companies to be their CSO, but it's a hopeless, thankless, impossible job to do well. When I consult with them I say, Here's a shoulder to cry on. They represent the customer. It's the CSOs who are kicking all the major vendors to do better. They can force change in the industry. The big vendors are most afraid of the CSOs. Vendors have a deep respect for CSOs. So power rests in the CSOs' hands. If they use their clout collectively, they can institute change. And they need to. Their butts are on the line.
On the government side, there is a lot of turnover. In a certain sense, it's a good thing. Vendors are against regulation. The more nervous vendors get, the more proactive they might be.
For more on bug disclosure, read "Beyond Passport Vulnerabilities".