DARPA Seeks Input On Securing Networks Against Attackers 119
hessian writes with an article in Wired about the problems facing the U.S. Government's networks in an increasingly hostile world. From the article: "The Pentagon's far-out research agency and its brand new military command for cyberspace have a confession to make. They don't really know how to keep U.S. military networks secure. And they want to know: Could you help them out? DARPA convened a 'cyber colloquium' at a swank northern Virginia hotel on Monday for what it called a 'frank discussion' about the persistent vulnerabilities within the Defense Department's data networks. The Pentagon can't defend those networks on its own, the agency admitted."
Secure systems (Score:5, Interesting)
Start using systems that were designed to be secure in the first place. Stuff that works on a "deny by default" basis, that refuse to process any data that it doesn't understand, use OCSP as a white list on the CA side, defence in depth: use strict validation of input on multiple levels (when making web app: using default deny application firewal, then strict validation in form processing and finally use modular application design that validates data received from other modules) and so on.
This will require throwing away most, if not all, software in use. Including OSs, probably even Linux as I'm not sure if SELinux (or other such systems) go deep enough on the kernel side. Then making new software from scratch with primary design objective to be secure. As no politician or PHB can justify spending this amount of money on such nebulous concept as security, the whole idea will fail. Because this won't eliminate, just reduce the number of security related bugs, won't help the cause.
We have to start by teaching new programmers how to make secure systems first (and I repeat, systems, not just programs) and just then how to program.