Former CIA cyber guru addresses GISEC delegates
Software vulnerabilities caused by vendor obsession with compatibility, Dubai delegates warned
A former US Central Intelligence Agency cyber security chief today warned delegates at a Dubai of the dangers of software vulnerabilities, pointing the finger squarely at vendors that write weak code when upgrading products.
"I think IT vendors largely put product compatibility [first], especially backwards compatibility," said Robert Bigman, former chief information security officer at the CIA and current IT security consultant.
Bigman delivered the keynote address at this year's Gulf Information Security Exhibition and Conference (GISEC) held at the Dubai World Trade Centre.
"If we could just come to a compromise with [the likes of] Microsoft and Adobe and say ‘Don't worry about having to make your systems and your new releases backwards compatible,' we would start to see code that was a lot more secure," he said.
He also was critical of software houses' attitude to the robustness of code in subsequent versions of their products.
"What a lot of vendors tell me is ‘We try to write secure code but if we don't it's okay.' Do you think they care about the reputation risk? No, they don't."
Software vendors were by no means alone in this approach, Bigman warned. He highlighted the example of consumer routers that update firmware using established credentials.
"The vendors do this to make life for you consumers easier," Bigman told delegates. "So you don't have to worry about the drivers; you don't have to worry about the firmware. They will do it for you, using the SSL connection you have already established."
Bigman shared a range of tips for securing the network, many of which were significant departures from traditional approaches. For further details, watch out for ITP.net's upcoming feature.