Thursday, November 20, 2008

The infrastructure crisis

There is an infrastructure crisis in the United States beyond our decaying bridges, roads and sewer systems: Systems that are vital to commerce and the every lives of the American people are insecure and vulnerable to attack.

Yesterday, we published a story about Green Hills Software obtaining a high security accreditation from the US National Security Agency. Naturally, Green Hills had an interest in convincing me that its Integrity operating system was the right medicine.

Granted, Integrity's merits have been proven. It is only 4000 lines of code, and it leaves far less surface area exposed for attack than mainstream operating systems. The fact that it is available is a good thing.

I am by no means an expert on infrastructure security, but I have to question why critical systems in the public sector were not hardened in the first place. While using a secure operating system is only part of the answer, software like Integrity should already have been widely used, and there should not be a security 'crisis.'

There were guidelines for designing secure software in the past, but I am told that they were difficult to obtain. The Trusted Computer System Evaluation Criteria, known as the Orange Book, was held too close to the military's vest. The NSA's National Information Assurance Partnership (NIAP), which tested and certified Integrity, is a more recent development.

Security has long been an after thought in software, and vulnerabilities were not given equal treatment as other defects. Bridges are designed to meet certain tolerances: Why wasn't the software that we rely upon? The nation's neglect of the public sector would be unfathomable if it wasn't reality.

No comments: