Make vendors responsible for vulnerable software, says Alan Paller, director of research for the SANS Institute.
Photo: Alan Paller, director of research, SANS Institute
Government's best weapon against dangerous cyber-attacks may be the public purchasing system, according to security specialist Alan Paller, director of research for the SANS Institute.
Paller urged state and local officials to write new requirements into procurement contracts that make vendors responsible for vulnerable software. "As of today, no procurement should come without security language in it," Paller said Thursday at Government Technology Conferences' GTC Southwest in Austin, Texas.
Shoring up vulnerable software is crucial for public agencies as cyber-threats grow in sophistication. Organized crime, terrorist groups and hostile nations now account for most major attacks, and they're making huge amounts of money from identity theft and extortion, said Paller. The FBI estimates that organized crime now reaps more profit from cyber-crime than from the drug trade, he said. What's more, those profits are plowed back into research and development that produces ever more sophisticated methods of attack.
Public- and private-sector organizations are struggling to keep pace with the growing number and severity of cyber-crime attacks. Instead of patching software systems after they're purchased, governments should demand stronger products before they buy, Paller said. "We can't continue to blame users for security vulnerabilities. You need to make vendors responsible for the security of their products."
Paller pointed to a new list of the 25 most dangerous programming errors that was jointly developed by more than 30 national and international security organizations. The list -- released in January -- identifies programming problems that produce security flaws and enable cyber-espionage and cyber-crime.
Video: Watch Staff Writer Hilton Collins show us how vulnerability is written into code.
These errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and software companies frequently don't test for them when developing products, according to the SANS Institute.
Paller urged governments to force vendors to verify that software products are free of errors identified by the Top 25 list before purchase. Inserting that requirement into government purchasing contracts would dramatically improve protection against cyber-attack, he said.
"You guys can do it," Paller said. "State governments can act together. You have massive power to change security. If you do that, you can change the world."