pexels photo 270348If you have been living in a cave or an island or a mountainside somewhere and have not heard, the new weapon of choice is cyber-security based.  Attacking a company by wiping out it's databases and computer files and/or spreading a virus and/or creating malware seems to be the most lethal and fearless method these days, just ask Sony, or Target, or dozens of other companies that have had the privacy of their computers and networks violated, and then wiped out.  The Internet has brought us a great technological wave of invention, interconnection and technological advancement.  With that progress, a great new security risk has been exposed.  Networks used to be like castles.  They were self contained with huge virtual walls that one could not get through.  As the castles disappeared allowing great clans to become countries, the networks have evolved into inter-networks.  However, just like the castles, where security was high, once the walls were no longer used, security became an issue.

We hear so much in the news about how these attacks are deployed, through malware and viruses and keyclicks.  To combat these issues there is a huge effort of counter technologies: Virus Scanners, Malware Detectors, generating huge profits to combat the security breaching tools.  However, these are, for the most part, an afterthought.  In other words, they provide a defense to an already deployed method of attack.  They cannot predict a future attack, nor can they detect what they do not know.  Does this make them useless?  Absolutely not.  Use them with great abandon.

What we do not hear is the root cause of these security related issues.  The more I talk to people about it, the more they appear convinced that it is simply the nature of the beast.  Like life without castles, you develop a police force that does a great job of minimizing the impact, you pay for it as a community and every now and then, someone's home or business if going to be robbed.  Hopefully we will respond quickly, identify and punish the perpetrator, and continue onward.  But what if there is a root cause?  What if we put aside the complacency of acceptance, and looked a little deeper?  What if we go back to the roots of computing and networking and critically analyze why there is so much insecurity?

To answer these questions, you ultimately end up staring right at the software.  This is the software that runs computers, switches, routers, and anything that has a processor.  The cyberattacks all have something in common - they change the behavior of the software to perform improper tasks.  The person who writes the software says: "That's not my fault, my software works perfectly!  If you modify it, that isn't my fault!"  Which begs the question, well how the heck does your software allow itself to be modified?  The answer is usually a shoulder shrug, or a finger pointing in any direction other than at the software author themselves.

Considering this, I had an epiphany.  Almost all the software, the great software, is written today by degreed software engineers.  Arguably this was not the case for Bill Gates who never got a degree, but most of his software is no longer used.  The problems Mr. Gates' software solved were considerably simpler that the software being written today.  Networking and Computer problems are extremely intricate and complex and sophisticated.  Solving these problems requires large teams of well prepared software engineers that often span multiple countries.  There are great universities around the globe producing great engineers who are able to tackle these immensely difficult and complex problems.  Learning curves are steep, and delivery timeframes are small.  Innovation rates are expected to be exponential.  So why the problems with security?  Could it be that the engineers themselves are not prepared to write secure software?

I began to ask.  I often get to meet teams of software engineers, many of whom are recent graduates from legendary software engineering institutions.  How many of you took some sort of secure coding class as part of your degree program, I ask?  I have never written down the actual numbers but from memory and rule of thumb I will tell you that one or two out of 100 will raise their hand.  That, to me is an alarm bell - a red flag that needs to be run straight up a pole.  So I did.  I contacted acquaintances in the institutions and asked them.  Shouldn't I be getting 80 or 90 hands out of 100?  The general response was the same: we are naturally concerned with this, but the cyberattacks are always changing and whatever we teach, the people who compile and write these bad peices of software will always find a way around perfectly good code. 

I don't buy that answer as acceptable.  To the contrary, I would expect these great institutions to hire some of the best cybersecurity people to come in and teach classes on how their code works, how they find the loopholes in the coding design, and have projects as a mandatory part of a software degree program that create code and them prove that the code is un-hackable.  I know what you are thinking, which cybersecurity people would want to do this?  I concur that there would be few, but those few could make a big difference - a much bigger difference than signing treaties.

With the ferocity of forward movement and innovation demand comes some amount of sloppiness in software development.  This sloppiness results in enormous code output, where libraries and subroutines are piled into the software storehouses in order to speed the development.  Think of it as chefs storing all the possible ingredients in a huge pantry so that they can produce a certain dish.  Some of those ingredients will never be touched, but just in case, they are in the pantry.  The same goes for software.  No one really cares, if once compiled, it fits onto your enormous disk and memory, and it does what is necessary.  One can almost envisage the cyberattacker begins drooling slightly, knowing somewhere in that immense pantry of software are weaknesses and vulnerabilities that the software engineers never even tested.

One of the possible roots of this time of vulnerability in our computers, networks, and applications points directly back to the creators of the creators of the software.  We must immediately change the degree programs to incorporate software secure coding and testing practices, while remaining flexible and mindful of the continual improvement curve that must be incorporated into these programs.  The way to immediately impact that change is that software companies must demand these skills by rote, and they must provide for immediate training of those already employed to fill the gap of knowledge.  Like the Internet itself, and society after castles, a self policing system must be invoked, and this is only attainable through advancing knowledge and skills so that weaknesses and vulnerabilities cannot be so easily deployed and executed on computers, networks and applications.  

Comments powered by CComment

Did you learn something?
Did I save you time? 

Buy me a coffeeBuy me a coffee!

Find by Tag

4G Networks 5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az ACL Addressing Analysis Ansible Architecture ARP AToM Backup Bandwidth BGP Biography Bloom's Taxonomy Cable CBRS CellStream Cellular Central Office Cheat Sheet Chrome Cisco Clock Cloud Computer Consulting CPI Data Center Data Networking Decryption DHCPv4 DHCPv6 Display Filter DNS Documentation dumpcap ECMP EIGRP Ethernet Ethics Flipping the Certification Model Follow Me Fragmentation G-MPLS Git GNS3 Google GQUIC Hands-On History Home Network HTTPS ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 In A Day Internet IOS Classic IoT IPsec IPv4 IPv6 IS-IS L2 Switch L2VPN L3VPN LDP Linux LLN Logging LoL M-BGP MAC Macro Microsoft mininet Monitoring Monitor Mode MPLS Multicast Name Resolution Netcat Netflow NetMon netsh Networking Network Science nmap Npcap nslookup Online Learning Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX OTT Parrot PIM Ping Policy POTS POTS to Pipes PPP Profile Profiles Programming Project Management PW3E Python QoS QUIC Remote Desktop Requirements RIP Routing RPL RSVP Rural SAS SDN Security Self Certification Service Provider Small Business Smartport SONET Speed SSH SSL Subnetting T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone Telnet TLS Tools Traceroute Traffic Analysis Traffic Engineering Training Travel Tunnel Ubuntu Utility Video Virtualbox Virtualization VoIP VRF VXLAN Webex Wi-Fi Wi-Fi 6 Windows Wireless Wireless 5G Wireshark Wireshark Tip WLAN ZigBee Zoom

Twitter Feed