Will Security Task Force Affect OSS Acceptance?

An anonymous reader writes "An interesting article published by SD Times: "Application Security Goes National" discusses some of the talking points generated by a federal task force that will make recommendations to the Department of Homeland Security. One of these talking points is to license software developers and make them accountable for security breaches. Licensed developers would get paid more as well. The article also mentions that "Executives" might not wish to work with smaller undiciplined partners and a little further down that "Hobbyists create Web services [and] professionals create them" and that "companies relying on critical infrastructure Web services need confidence". Would OSS have to be writen entirely by licensed developers to be considered secure? . Yahoo Finance has another article on the subject." The SD Times article is current, despite the incorrect date on it.

Only as secure as platform...

[mikeyrb]

But programs are only as secure as the platform they run on, and of course the same as the people who use them. If people don't run their system properly, I'd say that's worse. Not to mention that people would use trusted vendors anyway, so I don't see what this adds.

Do they not get it?

[roninmagus]

Do they really believe that licensing software developers will lead to more secure software?

I'm not following their train of thought. Software development is an industry which constantly has to defend itself from **NEW** hack attacks. The best we can do is protect ourselves from known attacks, and try our best to forsee future ones.

It puts yet another industry under undo government control, and yet against shifts the focus away from the people actually doing harm--the hackers.

Re:Do they not get it?

[vegetablespork]

On the plus side, since we're licensing for "homeland security" reasons, there's no reason non-citizens should be writing any software used in the U.S.' critical infrastructure. Right?

Re:Do they not get it?

[aheath]

Neither article explicitly touched on the issue of software quality assurance. The development of processes and procedures for writing secure software should go hand in hand with the development of processes and procedures for testing secure software. SQA methodology has to expand beyond usability and functional testing to incorporate security testing.

It's my understanding that there are procedures for developing and testing software that is used in medical products and aviation products. Perhaps the rigor that is applied to developing software to control an airplane could be applied to the development and testing of secure software.

Re:Do they not get it?

[elrond2003]

>>>>Do they really believe that licensing software developers will lead to more secure software?

You have missed the point, nobody on the committee cares about improving security. The worse it is the more money they make. Only MS (and perhaps a few other huge contributors) will be able to generate certified software engineers so only MS software will be useable. Thus LINUX will either die from lack of use or die from being commercialized by MS. There will be two benificiaries, MS by making money and selected congresspeople who will get brib^h^h^h^h campaign contributions. Meanwhile NSA software will be generated in China, rather than by US programmers.
If there were any interest in having secure software the committee recommendation would be to ONLY allow open software.

Re:Do they not get it?

[the_2nd_coming]

yeah...is is called Software Engineering.

very few commercial software applications use correct software engineering techniques which is why so many bugs are in the software. medical equipment and air craft equipment and car equipment is tested. re tested and run through all the engineering processes in order to make it bullet proof.

real software engineering is not profitable with out making software cost a bloat load more than it does.

Re:Do they not get it?

[vegetablespork]

cheese-eating

Actually, I'm enjoying some Freedom onion dip right now :).

~~~

Re:Do they not get it?

[Jerf]

It's my understanding that there are procedures for developing and testing software that is used in medical products and aviation products. Perhaps the rigor that is applied to developing software to control an airplane could be applied to the development and testing of secure software.

It's a good idea on paper, which is why people like me are well-nigh terrified when this idea comes up.

The problem is one of expectations. Yes, we could apply that rigor to all software. But,

1. No more garage startups... and all new technology tends to start there. Innovation, true innovation, takes a huge hit under these schemes and we lose huge advantages to any country that doesn't enforce these rules.
2. Expense. Those methodologies eat manpower for lunch. Are you going to pay for it? For every piece of software you use? Even "ls" or "echo"? No, and neither will anyone else. It only makes sense for certain things, and different level of rigor makes sense for different kinds of programs... even different levels of rigor for different guarentees. Good luck even figuring out which of these is right, let alone getting the government to mandate the correct levels! We are far from a consensus on what is appropriate; we're not even sure where it makes economic sense to use what we know, and we certainly don't know what we don't know.
3. Freedom of choice. The converse of the above; we should be able to choose how secure our software is, because it's not free. Mandating any security level, and since other people's time is always free, you can be sure the government will mandate a very high level, means that I am forced to buy these high security products. What if I don't care? My game console is free to crash, and even if it's 0wz3r3d, who cares? On the next power cycle, it'll return to normal. (At least modern architectures.)

In the real world, it is, to put it bluntly, a shitty idea.

It's not time for government mandate, it's time for the market to start demanding security. The proven method for balancing cost vs. performance is the invisible hand of the market.

The root cause here is a monopoly, training people not to be concerned about security. The correct solution is a healthy market.

Best of all, we won't find ourselves in 2015 shackled by government mandate to 2005 engineering techniques. It's an act of shocking hubris to think we've got this figured out enough yet to mandate any solution.

Licensing again huh?

[DroidBiker]

I suspect we'll have some sort of meaningful licensing scheme someday. It'll probably take a while tho. There will be a lot of pain and probably more than a few witch hunts before it happens.

One problem (of many) is of course that if you make programmers legally responsible for security failures you also need to give them the authority to say "No! You can't do it that way! I don't care WHAT Marketeering says!"

Texas has had licensing for a few years. Anyone know how it's worked out?

Re:Licensing again huh?

[Alan+Cox]

There is two reasons to license software developers in the USA. Neither are good. The first is so that you can forbid compilers, debuggers and other "dangerous" tools to the RIAA/MPAA being in the hands of the masses. The second is to stop the all the computing jobs leaving the US by having a US certification required but inaccessible to the competition.

I'm all for formal open standards for security. And I am very much for formal accredited qualifications in safety critical systems. I'd love to see an MSC in computer security and similar university qualifications - but it has to be a proper and open thing, not some goverment office of computer programmer licensing.

As to accountability - there is a simple solution. Do something about the ability of companies to use software licensing as a get around for liability for product in most countries. Make it like other product. If its sold then it should be suitable for purpose. (Note here sold - paid money for. I see no reason why *paying* for open or closed source ought to be different).

It will also improve computer security no end the day a company gets sued for harming others by being negligent in applying security patches to its systems.

How about driver's licenses?

[civilengineer]

THe idea was to give licenses to only those who can actually drive safely. But, if they really implement that there will be very few people with licenses and car companies will go bankrupt ( no more wars maybe??). So, they give this easy test for the license and every TD&H can drive. Of course we have had over 40,000 fatalities and 2 million crashes every year in the US for past 20 years.
Similarly, the licensing scheme will again create a dearth of licened software professionals,leading to high salaries for the licensed initially and then the bubble will burst. Everyone will have a license eventually, and we will be back to square one. So, the solution is to come up with better error prevention and correction methods for existing software professionals/ (drivers) rather than try to create licensed professionals. SO, as of now OSS still rocks and it will be good to see more OSS testing volunteers rather than just OSS developers.

Pointing Fingers

[RetroGeek]

All this does is create a person who can be targeted if Something Goes Wrong(tm).

With OSS there is no "someone". With a licenced developer you have someone to blame.

Paraphrase of John Milton

[Nate+B.]

I recall a quote from John Milton that went something like this, "None can love freedom but good men. Others love not freedom, but license."

How much would licensing developers much like doctors, lawyers, architects, etc. affect development? It would likely mean more than, say, an MCSE or RHCE, or NCE. Would developers need to be licensed for a specialty?

Most likely there would be some sort of age and education requirement which would prevent some of the younger and perhaps self-taught developers from contributing to certain projects. Also, what about code developed outside the USA? One would have to be rather naive to assume that all the software in use was written in the USA, but sadly, I think that perception is all too common.

Happy 2004, everyone!

- Nate >>

"Licensing" == "Certification"?

[mrkurt]

Quite honestly, the SD Times article told me nothing about what they're really going to do about improving security in applications. You could substitute "licensing" in that article for "certification", as in some vendor's certification of developers. Then, it looks like a useless measure of what that person knows about security. If, however, it is more of a civil service exam, and they're going to test for knowledge of how to write secure code, then it would make a lot more sense.

Trends are fun

[DroidBiker]

In the near term if they adopt a licensing scheme the first iteration at least will be something like the programming language Ada.

The US military brass decided at one point that it would be great if all of their software was written in one language. They forned a comittee to design what they wanted. Ada was created and various military agencies started insisting on its use.

The problem was that what they designed wasn't flexible enough and over time Ada became less and less important.

Licensing will go a similiar route. The government will spend millions on a comittee to come up with requirements for a standard software engineer license. Then they'll find out that their licensed folks STILL screw up and eventually it'll become less of a big deal.

That being said, if software engineering licenses come into existance at the federal level you can bet I'm going to get one.

Two questions

[hdparm]

Does it mean that software created by those same developers, now licensed, in the past is now cleared? Are they going to hold developers and engineers accountable even if they're forced to produce code based on inherently flawed design, driven solely by profit and questionable business practices?

Why the license idea doesn't fit.

[rice_burners_suck]

Would OSS have to be [written] entirely by licensed developers to be considered secure?

As the past owner of two different businesses and the present manager of a mid size company, I can confidently say that the answer is no.

This is very simple. Over the years, I have hired a wide range of different people to work as programmers. I had everything from masters degree programmers with 20 years experience to kids out of school who do it as a hobby. In all cases, what determined the success or failure of the project was not the qualifications of the programmer. I had masters degree programmers write such gibberish that multi-hundred-thousand dollar projects were cancelled. I had masters degree programmers who did a marvelous job. I had some kids code up another product that worked so beautifully that it only made the company money. I also had kids who did a crappy job and the project failed. In other words, success or failure is determined by results, and nothing else.

Returning to the above question, software is considered secure if it is tested for vulnerabilities and is found to be strong against attempts to break in. If the programmer has a Ph.D., that's all nice and pretty, but it means exactly Jack Schitt. The results are the only thing that matter.

Therefore, I think this committee should not waste its time with issues like licensing, because that will only create more bureaucracy, more fees, and entire administrative efforts... and it provides no guarantees of success. They should figure out a way to measure the reliability of a piece of software (reliability is the parent category of security, because an insecurity reduces reliability). They should make up some guidelines for how mission critical systems should be judged and tested. Perhaps they should recommend that the government should hire its own crackers to constantly look for and help fix vulnerabilities. Because security isn't a one-time thing. "Let's license programmers and the problems will go away." It doesn't work like that. Like everything else related to management, in security, the only constant is change.

This is the silver bullet

[RealProgrammer]

... syndrome. Lawmakers always want something that sounds good, looks good, and will make them appear to be addressing the problem.

The conceptual framework they're working under is wrong. They assume that a single person is the author of a program. Maybe some programs have just one author, but most have several. The main, lead programmer, who is typcially the copyright holder, may not even look at every line of code in a program.

The bit about a culture shift is valuable. Projects should be built with security in mind, using basic principles (least privelege, minimize scope, check your loop bounds, etc.) that are, coincidentally, good programming practice.

But the culture shift that's needed is away from blame-based analysis of security failures and toward cooperative assistance. That shift is assisted by opening source code. Licensing programmers will tend to accentuate the blame attacks when bugs are found, and will provide incentive to hide them.

No program is bug-free. No committee of Licensed Gurus can eyeball scan a progran and find all its bugs. It takes running the program in real-world situations to find some (most) bugs. Licensing the programmer will not decrease the number of bugs in a given program.

Lawmakers would do better to simply stay out of the matter entirely than to introduce bureaucracy for the sake of appearance.

Blaming the developers?

[Crypto+Gnome]

Here's a summary of the plan.

• A software developer (ie a programmer) gets licensed
• works on a project for (name some large company)
• company management provides direction for the programming efforts (as they do)
• software is iunsecure by design, due to management decisions (happens now, and the plan changes nothing here)
• software is finished
• ....marketed
• ....purchased
• ....deploye d
• ....ends up killing over 10 thousand people for some trivial reason
• programmer takes 100% of the blame; firing squad at dawn
• company/management who made the decisions which introduced the lack of security get off Scott Free; zero legal consequences of their stupidity

Or am I misunderstanding the whole point of the exercise?

Immature discipline

[sjames]

Consider the many centuries we were building buildings before we had anything beyond a few guestimated best practices to assure that they wouldn't fall down. Eventually, the field matured and we figured out how to calculate the strength of a building in advance. Even then, it is only reletivly recently that we could do dynamic simulations. In spite of that, we still have mishaps.

Furthermore, we STILL are not at the point where we can guarantee that a building will hold up under attack. In fact, we are certain that ANY building can be destroyed using explosives. In fact, any device we invent can be destroyed and in turn cause destruction when deliberatly used contrary to it's design.

At the same time, there are levels of vulnerability that are clearly substandard. Buildings must not simply fall down in a light breeze and cars must not explode when you start them.

On the basis of that, licensing and liability will need to be restricted to a very small subset of applications, and they will be very expensive. For the same reason that most of us don't have bomb proof cars, most software will not be built to that standard.

The other case would be grievously stupid design decisions such as having email from anonymous strangers be executable or using gets for a publically acessable interface.

I'll take it, on one condition

[Todd+Knarr]

That condition comes from the licensing of civil engineers, too. You have to be licensed to be a civil engineer, pass some fairly effective exams and all that. You can be held personally and professionally liable for screw-ups in your designs. But there's another aspect: you have control. If you're the civil engineer on a project and you specify that it needs X grade of concrete, that's it. If management tries to say "That's too expensive, build it using a cheaper concrete.", you get to say "No can do." and they can't argue. If they do, you make a phone call and the next day some gentlemen with badges show up to discuss the fines and penalties management is going to pay. If management fires you and uses the cheaper concrete anyway, the discussion will be about criminal charges on top of their liability, not yours, for any damages done because of their illegal substitution.

If licensing of software engineers includes everything that licensing of civil engineers does, including the "those who don't have the license do not get to overrule you on how the job gets done" provisions, it's IMHO a good deal. We ought to press for exactly that in licensing, because while companies would be highly allergic to it it'll play very well with the public. Think about public reaction when a structural failure turns out to have been caused by someone substituting shoddy materials for what was originally specified or otherwise not doing things the way the engineers said to do them.