Can a 5GL Digital Process Modeling Language “Save Cybersecurity?”
Larry Karisny, the director of Project Safety.org, wrote an interesting post in which he argues that systems built on 3rd and 4th generation programming languages are inherently insecure as they grow more complex. He highlights current cybersecurity challenges and makes a case that a 5GL language built for Digital Process Management (DPM) may be the answer to our prayers.
Note: A 5GL is a programming language based on solving problems using constraints given to the program, rather than general purpose code or unconstrained algorithms. Karisny notes that some declarative languages, such as XQuery or SQL, are fifth-generation languages.
In he writes: “Current 3GL and 4GL programming languages were mainly focused on interconnecting and automating systems rather than intelligently monitoring their operations in real time during data in motion…if a user can develop an unambiguous, complete flow chart of a process, that chart can be converted into a working program (instructions, or code, for the computers to execute) to identify deviations from the expected operations or data.”
I think Karisny would say that just being a 5GL doesn’t in itself equate to being more secure. Think SQL injection attacks. But there’s more:
Karisny writes that “By adding Digital Process Management to 5GL, you now have a comprehensive real-time intelligent viewing capability during data in motion, which can catch cyberattacks before they occur…DPM and 5GL…are able authenticate, view, audit and block system events in real time during data in motion across multiple software, hardware and network platforms.”
This isn’t the first time that I’ve heard security folks make the case it would possible to create a secure application programming language proof against vulnerabilities because it automatically checks its own inputs and so forth. Basically, Karisny is describing a software model that goes beyond checking inputs to intelligently monitoring itself for anomalies.
Pretty interesting stuff. Karisny cites a more detailed paper (PDF) by an M.E. Kabay for more detail. I skimmed it, and while it had a lot of examples of things the 5GL DPM could program, it didn’t provide any details of the threat modeling that would need to be done to even assess whether the language could be more secure. I suppose there is more I can read about it somewhere.
In the meantime, I was a bit disappointed that Karisny spent some of his post arguing that cyber-insurance – which Security Architects Partners has previously explored as a market-based approach to cybersecurity – could not succeed.
To “save cybersecurity” what would you rather bet on – a programming language that few organizations use yet – or the market?