Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Says Its Secure Dev Methods Are Publicly Known

Posted by samzenpus on from the nothing-special dept.

Trailrunner7 writes "Despite its reputation for secrecy and technical expertise, the National Security Agency doesn't have a set of secret coding practices or testing methods that magically make their applications and systems bulletproof. In fact, one of the agency's top technical experts said that virtually all of the methods the NSA uses for development and information assurance are publicly known. 'Most of what we do in terms of app development and assurance is in the open literature now. Those things are known publicly now,' Neil Ziring, technical director of the NSA's Information Assurance Directorate, said in his keynote at the OWASP AppSec conference in Washington Wednesday. 'It used to be that we had some methods and practices that weren't well-known, but over time that's changed as industry has focused more on application security.'"

7 of 114 comments (clear)

  1. Here's proof that... by Anonymous Coward · · Score: 4, Insightful

    ...it is definitely possible to write secure software if you just simply follow sound and smart development methods and practices... and don't write half-assed, slipshod, thrown-together-in-a-hurry code.

  2. Of course they say that by dkleinsc · · Score: 5, Insightful

    If the NSA has something that really is Schneier-proof, they wouldn't tell the public. And understandably so, since part of their job is in part to ensure signal security for US agencies that deal in classified information.

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
    1. Re:Of course they say that by hedwards · · Score: 4, Insightful

      But it's almost certainly true. Just look at OpenBSD's record. They went for a full decade without any vulnerabilities in the base system before one was eventually found. And that's from a group of mostly volunteers. Just imagine what you could get from programmers that are both paid and required to use secure coding practices.

      What's really embarrassing is that most of it has been known about for quite some time, but for one reason or another the organization funding the programming doesn't feel like paying for it to be done securely. It's a similar problem to programming style.

  3. Re:I see it more like a proof that by Applekid · · Score: 4, Insightful

    That's a closed source/open source distinction. It has nothing to do with development methodology... except that there are more eyes when it's open.

    Depending on whose eyes for closed source, I'm pretty sure the NSA has plenty of great eyes looking over code.

    --
    More Twoson than Cupertino
  4. Re:I see it more like a proof that by icebike · · Score: 5, Insightful

    security doesn't come from obscurity

    Exactly right.

    The best security is the kind where everyone knows how it works, but even given the source code, you can't beat it, or you can't beat it in any useful length of time.

    That being said, the automated code inspection packages you can buy these days look only for the obvious noobie programmer mistakes.

    SELinux, originally from NSA, solves many of the problems of running untrusted code on your box, but even that is not 100% secure, and the maintenance problems it introduces mean that it is seldom used in real life.

    The problem is not how this agency (the NSA) cleans up their code.

    The problem is that we don't know about what backdoors exist in our hardware and our operating systems. Because so much code is embedded in silicon, and so few people actually look at that code, its easy to imagine all sorts of pownage living there.

    A compromised Ethernet card (just sayin by way of example), would be both Obscure, and hard to detect, and have access to just about everything going in and out of your machine.

    Security does not come from obscurity, but insecurity often does.

    --
    Sig Battery depleted. Reverting to safe mode.
  5. Re:Doesn't make sense by hedwards · · Score: 4, Interesting

    I suspect it's more along the lines of people expecting there to be something significant that they have for writing secure code. I'm willing to bet that the only thing they have that most other organizations don't have is a substantial budget for auditing the code for vulnerabilities. They probably wait longer before deploying code as well until it's been thoroughly vetted.

  6. Social engineering always wins by boristdog · · Score: 4, Insightful

    The Soviets almost never used to crack codes. They just social-engineered (blackmail, sex, gifts, schmoozed, etc) to get all the information they wanted.

    It's how Mitnick did most of his work as well.