Software Insecurity: Whose Problem is it?

At a recent presentation at Carnegie Mellon University, CISA Director Jen Easterly called for a transformative shift to require the technology industry to infuse security into their product design. In her speech, Easterly defended her position, explaining how technology manufacturers have normalized products to be released with “cyber defects” and how we cannot blame technology customers targeted by adversaries. She emphasized the risk of poorly securitized products is more significant than the alleged espionage from the Chinese spy balloon incident. Shifting security responsibility on software developers is a commendable but lofty goal. We believe the solution is a bit more nuanced and requires collaboration. Reform is needed by both software developers and consumers in tandem. Software developers need to embrace standards such as market differentiators, and consumers need to practice basic cyber hygiene to strengthen their cybersecurity posture and not be considered negligent users.

Quality Assurance: A Consumer Demand 

There’s no doubt quality assurance issues are prevalent in software. But it’s hard to prove because there are no standards developers need to abide by or the necessary consumer motivations to spur this process change.

In the automotive industry, for instance, when a car fails crash tests, the data is published. Not so for software companies. The National Highway Traffic Safety Administration (NHTSA), for example, was established by the Highway Safety Act of 1970 (23 U.S.C. 401 note) to help reduce the number of deaths, injuries, and economic losses resulting from motor vehicle crashes on the Nation’s highways. Any consumer could view the results of tests online and file a complaint if they experience a safety problem that could be a defect.

We do not have this type of federal “safety” oversight process for cybersecurity products—yet. A rating system for cybersecurity would not only alleviate consumer concerns when purchasing software but would also create a competitive commercial environment to manufacture higher-quality products.

To return to the automotive industry example, regulations for safety (including the mandated use of seat belts and the standard use of airbags) effectively changed the entire industry, and now manufacturers include safety as a key feature of their products. But the market also changed because consumers won’t purchase an unsafe car.

What would the equivalent process look like for software safety look like? There are thousands of software “manufacturers in the market.” Critical issues include:

• How will software testing ensure security?
• Who will perform it?
• Where will the information be disseminated and updated?

These are just a few questions that make Easterly’s assertions about holding software makers liable for their security shortcomings a difficult reality to implement in the near future.

A Competitive Commercial Environment Leads to Defects

The issues of implementing software security are not new. David Rice explored a similar problem set in his landmark book, Geekonomics: The Real Cost of Insecure Software. He states that markets are imperfect, and market participants seek to maximize their utility rather than do what’s best for the collective group. Industries function like markets, so they share this challenge. This observation in the software industry draws an interesting and adjunct problem faced in critical infrastructure. Software developers attempt to maximize their utility by rushing products to market, which reduces quality and affects security. Purchasers of software want improved features delivered quickly.

If each stakeholder maximizes what they want, there is no incentive to tackle the software defect and security issues. If consumers are willing to trade off software security for more features, the market stays imperfect and buggy, and security-deficient technology continues to be implemented. The extreme number of patches software companies continually issue is a testament to the fact that software defects continue to create opportunities for attackers.

Golden Trifecta: Secure-By-Design, Minimum Standards, and Basic Cyber Hygiene

We strongly believe tech companies can be encouraged to adopt secure-by-design methodologies, which require the implementation of security architecture principles at the very first step of product development. Secondly, it’s also more realistic to focus on minimum standards that software companies must meet to ensure “fitness for purpose” implied warranties.

However, even secure-by-design methodologies do not guarantee secure outcomes.  Software process improvement approaches help organizations increase the possibility of producing high-quality products.  And there is extreme variability in how software is actually implemented and used.

At a minimum, software developers need to consider more specific “use” guidelines for their products. This inherently highlights where and how the consumer is responsible for security, and implementing certain compensating controls, often part of basic cyber hygiene practices. The problem must be solved on both sides for the market to approach balance, which means considering how exactly consumers are using the product.

On that note, it’s important to emphasize that a significant percentage of technology breaches result from poor cyber hygiene. Some of these issues include:

• Inability to patch in a timely manner
• Configuration mistakes
• Secrets embedded in source code
• Exposed APIs
• Poor DNS security
• Poor awareness and training

The unfortunate reality is many organizations are still unprepared for a ransomware attack that can leverage the above deficiencies. Our latest research study, the 2022 State of Ransomware Preparedness Report, provides real-world data to assess how organizations are fighting the cybersecurity scourge of our generation, and we uncovered some disturbing data points. Our research findings show many organizations have still not gotten the fundamentals right— and are not practicing basic cyber hygiene. This is concerning as attackers are very prepared adversaries, eager to exploit these weaknesses and ready to strike with great tools at their disposal.

Axio’s Senior Cybersecurity Advisor, Richard Caralli, notes, “The practices and controls that seemingly are the easiest to do in an organization are still the things that organizations struggle with the most—whether it is ensuring critical vulnerabilities are patched within 24 hours or ensuring continuous security of high-value privileged accounts. Only 24% of organizations report to be patching systems within a day —a scary figure considering the continued digitization of the modern company.”

Caralli was recently featured on the Cyberwire Daily podcast discussing our research.

Collaboration is Key

Software product security is a collaboration between producers and consumers. Car seatbelts only make them inherently safer if consumers commit to constantly using them. To balance the cybersecurity “market,” producers must be incentivized to participate more fully in developing and testing software that is more cybersecurity-durable.  And consumers must ensure they can compensate for software deficiencies by institutionalizing higher levels of compensating controls, especially by improving basic cyber hygiene.  Interested in doing your part to improve basic cyber-hygiene? Check out the benefits of using  Axio’s free ransomware preparedness assessment to learn more.