It’s no secret that computer security is a difficult area of expertise. At the annual RSA Conference in San Francisco this week, attendees were treated to a host of solutions to solve their security woes. As usual, however, software development is not the focus.
Robert Griffin, chief security architect at RSA, agreed that developing secure software is a difficult order, and said that typically features trump security in the software development life cycle.
“The pressures I felt in the 80s and 90s looking for when code would cause problems; that pressure doesn’t seem to be there at the moment,” he said. “The model built by Google and Microsoft has supplanted so much that it’s hard to think about security. There needs to be a new methodology that reinserts security models into the rapid development life cycle.”
Griffin, who has been promoted to the point where he no longer has to write software, said that back in his days of being a coder, his team used three tools to ensure software security.
“One was code review,” he said. “Clearly we did that as a way of looking for obvious and less obvious errors. Second was vulnerability scanners. In the early days in the 90s especially, they searched for known coding errors. Third—although it was the hardest goal for us—was to find errors in the design phase. That was the hardest thing. You could find some errors in terms of assumptions, in terms of approach. The real errors occur as you were getting to the coding. It was so difficult to really identify vulnerabilities and significant issues at the design phase.”
When asked about the current state of OpenSSL, Griffin stated that he felt it was difficult to build secure software through an open-source process.
“It is very tough to deal with security issues when the focus is on the functionality,” said Griffin. “For the reference implementation around key management (for OpenSSL), it was much harder to drive security properties of that, even though it was a security protocol. I think there was a shift in the OpenSSL community after the RSA patents. Due to the sense that this supplanted that patents, there was a rush to move to that software without the level of inspection needed. Customers did rigorous reviews of our SSL code. I don’t know of customers who did that with OpenSSL.”