News

At RSA: General pushes 'No tolerance' policy for security bugs

• By John K. Waters
• March 2, 2004

As far as retired U.S. Air Force General John Gordon is concerned, the blame for the sorry state of software security lies with developers. "This is a problem for every company that writes software," Gordon said. "It cannot be beyond our ability to write and distribute software with much higher standards of care and much-reduced rates of errors and a much-reduced set of vulnerabilities."

Speaking on Wednesday to RSA Conference 2004 attendees, Gordon, who serves as chairman of the Homeland Security Council, asserted that if developers could reduce the error and vulnerability rate of applications by a factor of 10, it would "probably eliminate something like 90% of the current security threats and vulnerabilities."

Gordon said the IT industry in general needs to be more intolerant about security vulnerabilities in all software, and should worry less about the attack landscape. "As long as there is vulnerability it will be exploited," he said. "The industry needs to focus on removing vulnerabilities and remediation work, and not get hung up on who the attacker might be. Once we start writing and deploying secure code, every other problem in cybersecurity is fundamentally more manageable as we close off possible points of attack.

"Once we start writing and deploying secure code," added Gordon, "every other problem in cybersecurity is fundamentally more manageable as we close off possible points of attack."

Security of the homeland kind was something of a theme at the conference. Event sponsor and namesake RSA Security announced that its BSAFE Crypto-C Micro Edition 1.7.2 encryption software has received Federal Information Processing Standards (FIPS) 140-2 Level 1 validation.

BSAFE Crypto-C Micro Edition software is designed to give developers the ability to add cryptographic security to wireless or embedded applications. The product includes sample code, in-depth documentation and technical support to help users meet increasingly stringent government security requirements without having to become cryptographic experts.

Standards compliance is fast becoming a big issue for developers. The FIPS 140 validation is required before any cryptographic product can be used by U.S. federal departments or agencies. The validation means that BSAFE licensees may use its FIPS-approved standard public-key encryption algorithms, symmetric encryption algorithms, message digest algorithms and other security components, and claim use of FIPS 140-2 validated cryptography in their own products. According to RSA, the validation removes many procurement and technology deployment barriers for third parties developing and selling secure software applications to U.S. and Canadian government agencies.