Recently there has been a lot of buzz about Perfect Citizen, an NSA program designed to discover security vulnerabilities in critical infrastructure, such as the power grid. Apparently the program was designed to take an offensive security approach to protecting information assets. If that sounds conceptually familiar, that’s because it’s awful lot like the way most organizations approach application security: test first, then fix.
Critical Infrastructure in North America is already subject to information security standards through NERC CIP. In fact, System Security Management: CIP-007–5 provides detailed System Security Management requirements. Yet the standard makes no specific mention of generating specific, low-level software security requirements and verifying those requirements. Instead, utilities and other critical infrastructure organizations are often left to pursue the status-quo approach to application security: testing for security vulnerabilities and patching those vulnerabilities. Without a focus on preventative application security, it’s no wonder that we hear about efforts to hunt down common software weaknesses in the software that supports critical infrastructure. Gary McGraw commented on a similar phenomenon in cyberwarfare.
Make no mistake, detecting security vulnerabilities is a critical step in building high assurance systems. It can’t be the only step. We can’t test ourselves secure in private sector software, nor can we do so in critical infrastructure systems. Imagine, for a second, that any piece of software deployed into critical infrastructure had outlined detailed security requirements for all relevant weaknesses in the CWE along with details on how those requirements were tested for. Imagine how much more confidence we could have in those systems.
In the private sector software security is often about an opportunity cost trade-off: should developers spend time on features or security? Features often come out on top. In critical infrastructure, we can’t afford to have the same outcome.