By Steve Lipner and Eric Baize
After every news cycle involving major technology players and zero-day vulnerabilities in the products or services they provide, suspicious comments questioning technology players’ commitment to software security assurance inevitably seem to resurface.
The recent Wikileaks release of documents allegedly from the CIA describing zero-day exploits in major online services and platforms was no exception. It presents an opportunity for us to take a broader view of the forces at play and to accelerate progress in security among the stakeholders involved.
The Development Organization Needs a Holistic Process
The organization that develops software for applications, products, or services has the responsibility to adopt a holistic secure development process to minimize the risk of vulnerabilities in the code they create. In the 15 years since Bill Gates issued his Trustworthy Computing memo, the focus of development organizations on preventing, detecting and promptly addressing vulnerabilities in their code has drastically improved. No responsible organization with a long history of developing software would ignore or hide critical vulnerabilities in their code. If vulnerabilities remain, they are the result of the complexity inherent in feature-rich products and services, legacy design decisions, or sophisticated exploitation of highly complex software architectures. When such vulnerabilities are reported, they are addressed with security updates in a prompt and effective manner.
We should be very clear: the existence of vulnerabilities in software results from the complexity of modern software. The investments most mature development organizations have made to address software security have made attackers’ task of finding exploitable vulnerabilities much harder. That said, there are important forces at play that can significantly contribute to improving the overall state of software security.
The Technology Consumer Plays a Key Role
We should not underestimate the power of the market. Technology consumers have a key role to play in driving vendors of products and services to adopt a holistic secure development process. They own the budget and have the power to pressure their vendors. However, to be effective and avoid diverting vendors’ efforts to producing compliance documents rather than secure software, it is critical that technology consumers assess their vendors using international standards or industry frameworks that focus on the actual application of rigorous secure development processes.
Technology consumers also have a responsibility for protecting their own systems. They must understand and manage the risk associated with their systems and the products they acquire, and they must operate and administer their systems securely, including for example installing security updates on a timely basis, changing default passwords, and holding their users accountable. And if they find that the products and services they are using make any of those tasks difficult or impossible, they should provide clear feedback to their suppliers.
The Software Developer Needs Security Knowledge
The market can be powerful, but the software security problem cannot be fully addressed if we ignore its roots. The digital economy runs on software and needs more and more developers. Every year, hundreds of thousands of software developers join the workforce without even a basic knowledge of security. The burden of educating and training developers on software security is left to the development organizations that hire them.
You cannot become a building engineer without being trained on fire safety, but you can earn a software engineering degree without having to take any courses on security. Colleges, universities, coding bootcamps and other developer training organizations must address the security education of software developers or the software security problem will perpetuate for decades to come.
The Path Forward
Over the last 15 years, development organizations have made a great deal of progress in articulating and applying approaches to building secure products and services. While stakeholders must acknowledge that security vulnerabilities will never be eradicated, they should also understand that they can be significantly reduced in prevalence and severity if:
- Development organizations adopt a holistic secure development process
- Technology consumers do their part, and also encourage their vendors to adopt a secure development process
- Software developers are taught security as part of their software engineering education.
SAFECode provides resources for all software security assurance stakeholders to help them execute such a strategy: practices for development organizations, training modules for developers and an assessment framework for technology consumers.
We call on all development organizations, educational institutions and technology buyers to join us in continuing to advance this strategy. And we welcome your response to our thoughts on this important subject.