NIST, the US National Institute of Standards and Technology, released a report last December, “Dramatically Reducing Software Vulnerabilities.” It has multiple useful and interesting ideas for improving vulnerabilities in software. I want to highlight two that I felt were most important.
There is no technological substitute for developer discipline. Education is not just about teaching developers how to write better software. It also includes educating users how to specify better software and managers how to set up environments that result in higher quality software.
They go on to say, “It is critical to inspire a sense of urgency in both the public and private sectors to address the shortage [emphasis mine] of skilled cybersecurity workers.” I could not agree more. Cyber security training provides a strong means to address your organization’s cyber security knowledge shortfalls.
Learning Tree’s System and Network Security Introduction provides an essential introduction to cyber security principles. Learning Tree’s CEO Richard Spires wrote in this blog a year ago about using Individual Development Plans (IDPs) for IT staff. Cyber security education clearly needs to be part of those plans.
Another important section in the report was “Measures and Metrics.” In the introduction to this section, the authors note the significant shortage or “dearth” of measures. They then go on to discuss some measures and propose a taxonomy of measures. They admit that there are some existing measures but explain that those existing measures are usually not well defined, no well validated. They admit that many of these measures are complicated to formalize.
Many of us learned in school or as professionals that “If You Can’t Measure It, You Can’t Improve It.” That’s from Peter Drucker. It is a simple maxim that clearly impacts software development and cyber security. After reading the report and its recommendations, perhaps the quote should have been, “If You Can’t Measure It Accurately, You Can’t Improve It.”
Also, the authors stress that measurement cannot take place just at the end of a project: it must take place “in all phases of software development.” This was not part of my computer engineering education, and I dare say it is not a significant part of the software engineering curricula today.
Do you include cyber security education in your staff’s IDPs? Are you integrating measurement in your whole software development process? Share your plans and obstacles by tweeting to @learningtree.
To your safe computing,