Industry invited to work with organizations tackling software, hardware vulnerability

March 12, 2008
SAN DIEGO, 12 March 2008. The second morning at the Military & Aerospace Electronics Forum offered up sessions on software and hardware security, cryptography, and vulnerabilities. In the presentation titled, "OWG: Vulnerability," John Benito, Blue Point Consulting Inc. discussed scripting language issues and software vulnerabilities. He delved into such challenges as buffer overflow, "off-by-one" errors, and various other failure mechanisms.

By Courtney E. Howard

SAN DIEGO, 12 March 2008. The second morning at the Military & Aerospace Electronics Forum offered up sessions on software and hardware security, cryptography, and vulnerabilities. In the presentation titled, "OWG: Vulnerability," John Benito, Blue Point Consulting Inc. discussed scripting language issues and software vulnerabilities . He delved into such challenges as buffer overflow, "off-by-one" errors, and various other failure mechanisms.

Benito works with The OWG:Vulnerabilities (OWGV) is a working group reporting to SC 22. It has been assigned responsibility for project 22.24772 to write "Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use."

The organization is in the process of writing the technical report that describes all the vulnerabilities that can be identified today. Trying to use databases, such as CWE from MITRE Corp., as cross references and define vulnerabilities. Annexes will provide language-specific treatments of each vulnerability.

"No single programming language or family of programming languages is to be singled out," Benito explains. In our initial charter, we wrote "trust the programmer" as one of our key objectives. It seems funny now, he quips, but we meant it when we wrote it years ago. The end goal of all the international collaborative work is to ensure "safety, security, predictability, and assurance."

"It is important work--the only way standards happen is by people getting involved. It's volunteer work, it's tough, and it's not glamorous–everything has to be done by consensus. If you are interested in getting involved, now is the time."

"I hope tool vendors will take a look at the document, but right now we only have one tool vendor attending," Benito says. "Vendors are invited to take a look at the document, and see if they can add something to their solutions."

The organization welcomes industry to attend its meetings. Several meetings are scheduled this year, with the next two events occurring in the Netherlands and Washington. Visit the Web site at http://aitc.aitcnet.org/isai for relevant technical reports, a calendar of events, and more information.

Voice your opinion!

To join the conversation, and become an exclusive member of Military Aerospace, create an account today!