“We’ve created this perfect platform of evil,” with increasing reliance on the Internet that ties together mobile computers, social networks, cloud and websites, said David Dewalt, chief executive officer of FireEye Inc., a security software company in Milpitas, Calif. “You throw all that in a petri dish with no governance model, complete anonymity and a lot of intellectual property one click away. That creates a very interesting model for attackers to use to get into systems that we now completely rely on – our critical infrastructure, our smart grid, our transportation industry, our financial systems, our military.”
“A 2014 study by the Ponemon Institute that evaluated security-breach costs in the retail sector indicated that the cost is $105 per stolen record.”
“At the end of 2010, the Office of Management and Budget (http://whitehouse.gov/omb) established the “Cloud First” policy as part of an IT reform plan unveiled by the federal government CIO Vivek Kundra. The plan was to modernize federal IT systems on a number of fronts, including reducing the number of data centers and fixing or eliminating unsuccessful IT projects. As with the use of cloud technology in the private sector, the goal of transitioning to the cloud was to reduce costs and increase efficiency, agility and innovation.”
[…] “Other milestones, including the June 5, 2014, deadline for agencies to certify that their cloud systems with the Federal Risk and Authorization Management Program (FedRAMP) also provided difficult to meet.”
The crossing of the chasm towards “FedRAMPing” with the “Cloud First” policy is work in progress. The good news is that there is growing awareness of the emerging cybersecurity threats and vulnerabilities while acknowledging that in many instances, in both the private and public sectors, the cyber attackers are one or a few steps ahead, as evidenced by the security breaches in Target.
The pursuit of better software quality is, more or less, a team sport. Achieving the desired level of quality for customer satisfaction is still work in progress. The prevailing record of security breaches among a large number of critical software- based systems demonstrates that there is a need for fresh thinking about refining the craft of software development. While Understanding the Cybersecurity Challenge is a first step, the VUCA governance model of the [cybersecurity] “petri dish” drives home the point that taming cybersecurity is a “ground war” and not simply an “air war” campaign.
The word “art” in the “Art of Computer Programming” has been used to drive home the notion that software development cannot easily be automated (i.e., requires human creativity and human assistance).
According to Brad Becker of IBM, “the whole focus of this [cognitive computing] is that technology should work for people, and not the other way around.”
We recognize that human beings are by no means perfect. Psychologists use an assortment of evidence-based treatments to help people improve themselves. Borrowing a page from “The Future of Computerized Therapy,” there are some initial promising experiments underway using Watson, IBM’s cognitive computing innovation, that is attempt to focus on who is going to be launching cyberattacks on the technology infrastructure, what their malicious intentions are, how cyberattackers work, what’s the ethnography and the cognitive psychology of the cyberattackers.
The Programming Language F#
F# is a designed as a hybrid/functional object-oriented programming language. F# has a powerful type inference system which enables a programmer to write fewer lines of code and catch non-trivial errors at compile time. Functions are first class objects which can be combined to create new functions.
F# facilitates a paradigm for responsible programming by providing an environment fashioned for continuous validation of a set of assertions as the program is developed. F# has continued to improve its ranking in the Tiobe index.
Disciplined Agile Delivery (DAD) is an IT process decision framework for delivering sophisticated agile solutions in the enterprise. Originally pioneered by Scott Ambler, “DAD fills in the gaps left by mainstream methods by providing guidance on how to effectively plan and kickstart complex projects as well as how to apply a full lifecycle approach, with lightweight milestones, effective metrics, and agile governance.”
Technical debt captures the cost that software systems endure due to poor design choices and insufficient levels of modularity. The unconscious cultural acceptance of technical debt breeds vulnerabilities and curtails the advancement of software assurance maturity. According to Martin Fowler:
“Like a financial debt, the technical debt incurs interest payments, which come in the form of the extra effort that we have to do in future development because of the quick and dirty design choice.”
Software Assurance Ecosystem
“Trustworthiness requires a commitment to rigor in both software production and its verification. No soft skill, rigor has a hard edge.”
The non-governance of the “cybersecurity petri-dish” is a partial Glimpse of the Blindingly Obvious (GBO). We have to work together and launch a grassroots campaign with swiftness and strength to shift the odds and improve software assurance maturity in the industry. Thinking out loudly, I see a three dimensional view of this campaign strategy:
- Accelerated adoption of a programming language such as F# (or Swift, OCaml, etc.)
- Increasing awareness to reduce technical debt (T)
- Building a self-organizing network for software assurance program management (Ecosystem)
Cementing F#TE and software assurance is an “all hands on deck” initiative to rapidly fortify the systems in both the public and private sectors. That said, F#TE is not meant to be silver bullet.
At a software testing conference, I remember reading Dr Bjorn-Freeman Benson’s use the term “code psychotherapy” to increase the attention span for the software developer to “listen to code screams.” A code scream is a behavioral indication of a deeper problem in the system. The minority opinion is that the craft of programming should include code psychotherapy. We need to mindfully reflect about the software developer and team collaboration more broadly and deeply (*), besides analyzing the technical details of the bug triage. (* : a mile long and a mile deep)
I will readily agree that code psychotherapy might be somewhat tangential to this discussion. In the spirit of thinking out loudly, perhaps there is an outside chance that we can leverage the ability for Watson to get rapidly trained in a (non-algorithmic) domain such as therapy and discover hidden, non-obvious patterns that will serve as heuristics for preventing sophisticated cyberattacks. Furthermore let’s consider the following questions:
- What can developers learn from psychotherapy and incorporate the insights in the software engineering process?
- We need to build a growing cadre of software developers who can play a variety of roles — the “good guy”, the “bad guy”, the “naive user”, etc to improve the dialogue between team members and engineer software that is trustworthy and robust (which may seem lofty goals today). This means going beyond the (passive) man-machine interface, walk in the other person’s shoes and co-create beautiful code that is verifiable.
- With the growing attachment toward devices, perhaps there is room for psychotherapy body of knowlege to break new ground, forge collaboration with software developers, and contribute towards the interpretation of “code psychotherapy.”
Software Assurance Program Management
Below is a sketch of the mental model for software assurance program management
My hunch is that the F#TE is an art of turning software engineering activity into thoughtful, purposive action. In military parlance, this is a strategy of directed opportunism. In this context, the twin goals are to make software more humane while also improving the software assurance maturity.
(This is a living blog that is work in progress)