It is possible to develop secure code but only if vendors use a robust software development process and aren't afraid to call a monkey when they see a monkey, according to the retired chief scientist of the National Security Agency, Brian Snow.
At the AusCERT 2008 security conference on the Gold Coast today, Snow told ZDNet.com.au that software can be secure — but only if vendors overhaul the way they create it.
"We do not have robust software development processes. It is not that they cannot exist — there are many excellent software development environments out there that produce much better code than any commercial firms are.
Brian Snow speaking at AusCERT 2008
"A lot of commercial firms still produce what I call spaghetti code ... they buy programmers ... and let them work freely and creatively to produce code that they plug into the system without anybody else reviewing [it]," said Snow.
Reviewing is the "minimum first step", according to Snow, who said software designers have difficulty seeing faults in their own code — they need some "nasty cruel reviewer" to point them out.
"The designer loves his work — he is not capable of looking at it dispassionately. It is like his baby he is not going to throw it out.
"You need some nasty cruel reviewer to say, 'it's not a lovely baby, it's an ugly monkey, you have to go and work on it some more'," Snow said.