Every information security defect comes about for one of two reasons - either there is a defect in some code, or a person falls victim to a social engineering attack. We can mitigate social engineering attacks through better user interface design - tools that guide the person to making the safe choice rather than just flooding the user with a bunch of information and hoping they make the right guess.
But security defects in code? Well, it turns out that security defects a re a subset of code defects - so if we could write better code, we would have fewer defects altogether, and by reducing the number of bugs, we reduce the number of information security bugs proportionately.
We've been writing code for sixty years so you'd think there would be a lot of effective static code analysis tools available, but the ones on the market are fairly ineffective.
I believe the next generation of code analysis tools is coming, but it won't come from the usual place - not out of computer science departments. It will arise from the Industrial Internet of Things. Companies manufacturing code for highly sensitive devices use highly advanced tools to validate their code across all possible environments.
When I was a programmer at IBM Poughkeepsie, I looked with envy at the engineers who had scores of tools to guide them when the designed a chip: tools that would verify race conditions, tools that would check for thermal exceptions, every possible physical outcome. The best we had was a compiler which told us that our code conformed to the syntax of the language we used.
But I believe help is on the way.
And that is our Bit of Security for February 14, 2024.
Музыка
Фильмы
ТВ Шоу
Категории видео
