There was an article that came around today called Software insecurity: Plenty of blame to go around over at GCN. The article contends that the blame for bad software lies at the feet of either developers or users, but that specifically who is to blame is up in the air. There is, of course, no shortage of opinion; check it out:
Stuart Katzke of the National Institute of Standards and Technology said that standards and guidelines developed by NIST could help... He said the suite of documents produced for the Federal Information Security Management Act effectively establish a level of due diligence for government IT systems.
Keith Beatty of Science Applications International Corp. went out on a limb by praising the oft-criticized Common Criteria program operated by NIST and the National Security Agency.
Do folks really need me to flay this or is the lack of useful dialog already self-evident? Look, Common Criteria certification is not the answer to buggy software. Microsoft's products are common-criteria certified, and they still have plenty of bugs - if that were the answer, I think we would have seen less bugs as more software went through the process as opposed to more. As to the 150-page NIST document - I don't see the connection; sure, it's good to have an assessment program (special pub 800-53), it's good to have checklists for developers (special pub 800-53), and so on. But is more documentation from NIST really what the industry has been missing in order to write bug-free code? I'm thinking probably not.
Of course, there were some more helpful suggestions:
Eset LLC ... blamed the problem of buggy software on a disconnect between developers and users. What seems proper and intuitive to a developer often is ignored by users, who do strange and terrible things with their applications.
Although clearly this doesn't address all the problems: bugs can occur even in the default configuration of products. If the Eset assertion were correct, shouldn't the default configuration be bug-free?
Eric Cole of Lockheed Martin Corp. acknowledged that software often has flaws...
At last, an assertion I can agree with. All software has flaws; I'll buy that for a dollar.