On Software Correctness and Security
Ed Amoroso outlines a recent technical discussion with Erik Cabetas of @IncludeSecurity on advances in software security.

On Software Correctness and Security

When I was in graduate school, my favorite book was Selected Writings on Computing: A Personal Perspective, by Edsger W. Dijkstra (Springer-Verlag, 1982). Organized as a printed compendium of Dijkstra’s best EWD articles – perhaps the earliest blog posts – the book remains a delightful read. It can inspire modern readers, much like the writings of Feynman and Einstein. I recommend that you go on Amazon right now and buy yourself a copy. (I’ll wait.)

A typical chapter would focus on a select computing primitive, such as linear search. The presentation would then include pages of beautiful prose and crisp mathematics, all centered on the design and correctness of the algorithm. The pieces are like little masterpieces, each crafted to demonstrate in its own way that computing science – like it or not – is a true branch of mathematics, and an unusually formal one, at that.

I had thoughts of Dijkstra, and software correctness, and computing science on my mind last week while having an iced coffee on Fulton Street with my new friend Erik Cabetas, founder of Include Security. I’d asked Erik to take the subway over from Brooklyn, because I’d caught wind of the amazing team of software experts he’d assembled, and I wanted to learn more about the fine software analysis and reverse engineering his company offers clients.

“We only hire experts,” Erik explained, “and we combine the best available software analytic tools, such as fuzzers, with detailed manual code review to identify design weaknesses and exploitable vulnerabilities in software. We can do this for virtually all forms of software including client applications, server applications, mobile applications, and web services. We can also reverse engineer software for security, litigation, or other purposes.”

Now, I hate to reduce the basis for Erik’s offering to a simple observation, but I’ll do so anyway: Software development continues to be performed by teams who are rushed to unreasonable deadlines by managers who prefer to deploy flawed software quickly. This business decision might reduce time-to-deploy, but it also results in a lot of crappy software. And that’s where Erik’s team comes in: They are best-in-the-business at finding your coding mistakes.

Consisting of an egalitarian team of international recruits, Include Security employs only the most capable and experience staff – people for whom software is both their passion and art. Not surprisingly, Include Security’s world-class team members have also typically made the personal lifestyle decision to work only with clients that they believe they can help, and to blend their life interests with their work.

“Many of our team members enjoy working hard with a client on a tough software application assessment, often finding serious exploits that require immediate attention,” Erik explained. “They will often then seek some time off to pursue other personal interests such as foreign travel. This is our culture at Include Security, and it allows us to employ the best, and to provide an amazing work experience for them.”

Let’s return to Dijkstra: He made the point repeatedly that programming is a challenging discipline, and his assessment of the implications could be harsh: “Don’t blame me,” he wrote, “for the fact that competent programming, as I view it as an intellectual responsibility, will be too difficult for the average programmer. You must not reject a surgical technique because it is beyond the capabilities of the barber in his shop around the corner.” Ouch.

Dijkstra wrote those powerful words on September 11th, 1975, and because our field has not changed much in the decades that have since passed, the need for experts such as at Include Security continues to be intense. My advice for those of you who write, use, or depend on software applications is this: Get in touch with Erik today, and ask him to take you through his fine services. Sadly, I think we can be certain they will find errors in your inevitably rushed code.

Please share what you learn.



要查看或添加评论,请登录

Edward Amoroso的更多文章

  • Protecting the U.S. Bitcoin Reserve and Stockpile from Cyber Threats

    Protecting the U.S. Bitcoin Reserve and Stockpile from Cyber Threats

    As you no doubt have heard, plans are in place to establish a Strategic Bitcoin Reserve and Digital Asset Stockpile…

    13 条评论
  • Parable of Network Observability

    Parable of Network Observability

    I’d like to discuss here a common problem we see in our work at TAG every day – namely, the deployment of “network…

    23 条评论
  • Parable of the Cyber Industrial Complex

    Parable of the Cyber Industrial Complex

    Preamble In 1961, Eisenhower gave a famous speech that warned of the dangers of the so-called military-industrial…

    34 条评论
  • The Challenges of CISOs Working for Cybersecurity Vendors

    The Challenges of CISOs Working for Cybersecurity Vendors

    (Note to Reader: Normally these reports are available only to TAG Research as a Service (RaaS) subscribers. But with…

    27 条评论
  • Have Uncle Joe Read This Before He Invests in Crypto

    Have Uncle Joe Read This Before He Invests in Crypto

    I’ve been lecturing to my graduate students on the foundations of cryptocurrency and blockchain for years. Starting…

    15 条评论
  • Why TAG is Now Rating Cybersecurity Vendors

    Why TAG is Now Rating Cybersecurity Vendors

    by Edward Amoroso The first time I ever paid attention to an analyst quadrant – fully two decades ago, I found myself…

    11 条评论
  • Predicting the Impact of Trump’s Election on Cyber

    Predicting the Impact of Trump’s Election on Cyber

    Below are seven predictions from our team at TAG for how the recent Trump election of 2024 will impact U.S.

    83 条评论
  • Five Tips for Working CISOs

    Five Tips for Working CISOs

    Our team at TAG has been coaching CISOs for years – and this includes private discussions just about every day of every…

    11 条评论
  • The SEC is Weakening the Cybersecurity Posture of the United States. Here is Why.

    The SEC is Weakening the Cybersecurity Posture of the United States. Here is Why.

    Preface During May and June of 2024, draft versions of this article were shared with Chief Information Security…

    123 条评论
  • Sad Loss Today

    Sad Loss Today

    Several years ago, before the Pandemic, I received a friendly call from a law firm I’d done some business with – and…

    9 条评论

社区洞察

其他会员也浏览了