Your "Homeland Security" issue described external attacks on our systems; however, threats exist inside as well as outside our systems. “Who is Liable for Bugs and Security Flaws in Software”, by Michael Cusumano, contained: “… a determined villain … will find a way into the system.” The way into the system does not have to be from the outside. A recent Computerworld.com article by Gary McGraw, contained: “Software security relates entirely and completely to quality. You must think about security … in the design, architecture, test and coding phases...” – again no mention of the possibility of attack from the inside. 9/11 attackers were trained to fly inside “the system”, and were allowed on board our aircraft by “the system”. To protect our computer systems we must assume those who would harm us are already inside our development world.

I propose two ways to examine our software for security risks - path coverage analysis and concordance analysis. If we have executed our tests and discover unexercised paths we should add additional tests or remove the suspect code. Additionally, we should generate a concordance for the code. High-risk words should be highlighted and reviewed (e.g. “Osama”).

Send mail to webmaster@d50.org with questions or comments about this web site.
Copyright © 2004 Detection Five-0
Last modified: 04/03/04