Software development is still ignoring security. That needs to change fast
If one event demonstrated how vulnerable organizations and infrastructure around the world are to software vulnerabilities, it was Log4j.
The critical zero-day vulnerability in the Java Apache Log4j log library allowed attackers to execute code remotely to access devices and networks. And because open source software was integrated into a wide range of enterprise software applications, services, and tools, it had the potential for widespread, long-term disruption.
No wonder the director of the US cybersecurity and cybersecurity agency CISA, Jen Easterly, described the vulnerability as “one of the most serious, if not the most serious, I’ve seen in my entire career.”
Security patches developed quickly and organizations moved quickly to implement them, although the ubiquitous nature of Log4j’s open source code means that there will be software and applications that will not receive the update, especially if no one realizes that Log4j was part of the development. process.
Log4j is just one example of the serious security vulnerabilities that have been discovered in software that has been used for years, and it was 20 years after then-Microsoft chief Bill Gates issued his Trustworthy note. Computing, which urged Microsoft developers to produce more secure software after several bugs and security holes were discovered in their operating systems and products.
“Ultimately, our software should be so fundamentally secure that customers don’t even care about it,” Gates wrote.
Two decades later, and while Microsoft Windows is generally considered a fairly secure operating system, when used correctly and security updates are applied, even Microsoft cannot escape critical code vulnerabilities. And more generally, there is still too much insecure software around.
Software has always been sent with errors, but software and services have become increasingly important to our daily lives, making the potential impact of security vulnerabilities even more damaging.
In many ways, software development has not evolved to cope with this new reality: products are still being rolled out, only for vulnerabilities, sometimes significant ones, that are discovered much later. And when it comes to a somewhat obscure component like Log4j, organizations may not even be sure whether they are affected or not.
“Inherently, the way we do software development only lends itself to mistakes and flaws,” says Rob Juncker, CTO and head of software development teams at Code42, a software security company.
“The fast pace of work we live in contradicts the best practices of most security teams.”
Cybersecurity wants to make software secure, a process that requires investment, staff and time. This is often the opposite of what software companies require: they want to make sure the code is functional and publish it as soon as possible, especially if they depend on new products or features.
I WILL SEE: A winning strategy for cybersecurity (ZDNet special report)
The security situation is very uneven throughout the industry, with fairly good security in some of the major vendors, but the vast majority, even those who are very well funded, do not have basic investments in security, says Katie Moussouris, General Manager of Luta Security. .
“Unfortunately, we’ve seen low investment in cybersecurity over the last 20 or 30 years,” he says.
What companies need to do is make sure that cybersecurity is incorporated from the outset and is characterized by the basic elements of a software development program at every step of the way, so that they can be considered and act before all risks and potential risks. they become problems along the line.
“If you think about how software is made, implemented, and maintained, it’s a whole supply chain. And it starts when you’re designing software or thinking about new features,” says Jonathan Knudsen, Synopsys’ senior security strategist. , a software security company.
“In the design phase, you have to think about security, you have to do threat modeling or architectural risk assessments, so before you write any code you just have to think about how it will work and what it will do … – and how could it be attacked, “he added.
I WILL SEE: Cybersecurity: Let’s be tactical (ZDNet special report)
Bosses may be reluctant to spend extra time and resources to ensure that the code is delivered securely, but in the long run, it should be the most cost-effective approach, both in terms of cost and reputation.
It is safer to make sure the code is secure before it is released, rather than having to deliver a critical update later, which may not even be applied by users.
The problem is that many organizations are so accustomed to a development model where speed is key, and the risks for them to produce poor code are relatively low.
This could mean that more practical action is needed to promote secure code and penalize those who voluntarily ignore security issues.
“In other industries where we have such a critical dependency, we have regulated these industries, but the software has remained largely unregulated, so there are no software liability laws,” says Moussouris.
There has been some movement in this area: for example, the UK government has proposed legislation that will require Internet device manufacturers to follow a set of software security rules before products can be to sell.
However, the government is moving at a slower pace than the industry, and even if the rules are enforced, there is already a lot of IoT software that would not meet the requirements.
But as organizations and individuals become more aware of cybersecurity issues, it could be that the market forces organizations to take software more seriously, leaving behind software developers who don’t think about security.
“Globally, we are more aware of the security of software, so I think that will result in buyers asking more difficult questions to their builders,” says Knudsen.
Therefore, it is vital for software developers, their customers, and even society at large that software security be taken seriously. Maybe “move fast and fix things” could be a new motto that developers aspire to.