Effective Reviews for Real Software Security

To get real security that everyday people can effectively employ, we need proper protocols and tools. The development of these in turn requires good security reviews that can provide the information that we need to ensure security. But guaranteeing effective reviews is a complicated process.

The EFF’s Secure Messaging Scorecard

The EFF is very keen on getting high levels of security for all platforms that people use. This is why they developed their Secure & Usable Crypto campaign. They wanted to get developers to make protocols and tools that could give people real security. They also wanted these to be usable by average people who do not have much by the way of technical knowledge and skills. Most of the people who are the targets of sophisticated hacks and government surveillance are not computer savvy. They are the ones who need to be assured of security but they do not yet have the means by which to ensure that they are secure.

The campaign to get usable security out to the people who need it began with the EFF’s Secure Messaging Scorecard. This is a program that has the goal of analyzing and listing all the messaging platforms that have good security. An essential part of determining the security score of any single system for this project is to properly and thoroughly review the code behind the platform. This is an important aspect because it is often because of faulty or exploitable code that systems ultimately fail. After this, the messaging platforms are further analyzed to reveal their qualities in terms of user friendly traits. This will render a list of systems that are both secure and usable by average citizens regardless of their computer skills.

Software is often released before it has been thoroughly tested for design flaws. This includes the code structure. Many believe that allowing the software to be used by consumers helps companies to better see what the software lacks. This is a very dangerous practice however, and should be stopped. It is causing a lot of people to get hacked and have their privacy breached. Consumers should never be treated as test subjects and yet they are routinely used as such. The Secure Messaging Scorecard aims to test all available messaging systems to see if they are indeed fit for release and use by people, regardless of how amazing their manufacturers claim they are.

When we chose to use a particular messaging system because it is supposed to be more secure, we expect it to do what it claims it can do. We need to know that it has been rigorously tested and analyzed for any possible flaws. And we need to know that it is being continually observed in case some bugs turn up later on. All vulnerabilities should be monitored and addressed before a big problem happens. Sadly, most manufacturers do not pay attention to bugs until the havoc caused hits the presses. What the EFF wants to ultimately encourage is a routine practice among all manufacturers of properly reviewing their products before they are released for public use and a dedication to monitoring those products so that they can identify and fix all possible problems before they can cause any damage.

The worst software vulnerabilities that we have experienced in the past years could have been easily avoided with proper security reviews. Among these are the Heartbleed bug and the Shellshock vulnerability. They should actually have been nothing to worry about if the code developers and other people behind the products that used these code systems had checked their work and kept an eye on their products. But they are often very lazy in this aspect because they just think that if something turns up they can always fix it later. They have very poor reviewing practices because they don’t care about who gets victimized because of their lack of concern with regard to product security.

To ensure that a piece of software is being properly reviewed, the skill levels of the people conducting the reviews must be very high. The tools used to review must also be of superior quality. It is not easy to be sure that a company is reviewing properly because it is not easy to tell whether they are employing both quality personnel and quality tools. This can get very expensive, so most companies will try to get away with conducting superficial scans of their products like searching for only the more common errors and vulnerabilities. But doing this leaves a lot of room for new exploits like we saw with Heartbleed and Shellshock.

The next goal after successfully getting companies to implement better reviewing procedures is to make sure that they actually go in and fix any detected problems. It is not always easy to determine whether a design flaw or a structural defect has really been fixed, not just patched over. But we can guarantee a better quality of review and repair procedures if standard reviewing metrics can be developed, if we can demand transparency from manufacturers, and if we see that the reviewers are comfortable vouching for the products that they are analyzing. With proper metrics, we can see the details of the variations in vulnerabilities found and what was done about them. With transparency we can have other security analysts look at the reviewing process so that they can give additional input if necessary. Having an reviewer vouch for a product will encourage reviewers to be more thorough and honest. Of course companies have been known to bribe reviewers to publish favorable results. But this is another aspect that must be tackled separately.

Reviewing is far from a perfect system, but it will go a long way to prevent a lot of the security flaws that are found in many pieces of software out there today that claim to provide high levels of security. Just the effort, to begin with, of coders and manufacturers to release properly reviewed products will make a huge difference for the people who buy and rely on these products.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
Filed in: News

Get Updates

Share This Post

Recent Posts

Leave a Reply

Submit Comment

© Get Best VPN Service in Europe. All rights reserved.