The Shift towards Software Security Liability
The recently released National Cybersecurity Strategy by President Biden’s administration highlights the need for organizations to take responsibility for their software security. The strategy argues that markets fail to impose adequate costs on entities that produce insecure software and calls for increased liability for shipping vulnerable products. This shift in perspective recognizes that insecure software is endemic and demands a rigorous approach to software security.
The Root of Vulnerabilities
To understand why insecure software is so prevalent, it is important to examine where flaws are introduced. Flaws are implementation defects that lead to vulnerabilities, which are exploitable conditions within software code. Over time, flaws accumulate, creating a concept known as “security debt” – the unresolved flaws throughout the lifetime of an application. This recognition has led to the rise of DevSecOps, which integrates security throughout the software development life cycle.
Veracode’s research report on the state of software security revealed several insights. When a new application is onboarded, there is an initial drop in the number of flaws as accumulated flaws are discovered. This is followed by a honeymoon phase, where 80% of applications introduce no new flaws. However, after the honeymoon phase, the introduction of flaws steadily increases until plateauing around year five.
The most common flaws detected vary depending on the type of scan conducted. Information leakage was prevalent in all three types of analysis – static, dynamic, and software composition. The report emphasizes the importance of using multiple scan types to uncover different issues. Additionally, scan frequency and the use of APIs for automation play a role in reducing the probability and number of flaws.
Stepping Towards More Secure Applications
While preventing all flaws from being introduced is not practical, there are three key recommendations for making applications more secure based on the research. First, remediation of security flaws should be prioritized early and quickly. As applications age, the accumulation of flaws increases, highlighting the need for prompt action.
Second, automation and developer training should be prioritized. Awareness of common flaws and how they are introduced can significantly reduce their occurrence. The research showed that developers who completed 10 hands-on security training courses correlated with a 12% reduction in the number of flaws introduced.
Lastly, companies need to establish application life-cycle management. Assigning ownership of each application helps ensure its security. Rather than attempting to create a comprehensive list upfront, it is more effective to start with a few applications and build the list iteratively. Maintaining an application involves deciding how long it should be in production, considering the growth of flaws over time.
Rigor Is a Requirement
In today’s security climate, software security is of utmost importance. With the National Cybersecurity Strategy emphasizing enforcement actions, software vendors have a heightened incentive to reduce the security debt of their applications. Understanding how flaws are introduced and how to remediate them is crucial for ensuring both the security and viability of software products. Rigor in software security is necessary at every stage of the software development life cycle as responsibility shifts to companies.
The Debate: Regulation versus Market Forces
While the National Cybersecurity Strategy aims to address software security through increased liability, there exists an ongoing debate between regulation and market forces. Some argue that market forces will naturally incentivize companies to prioritize secure software, as their reputation and customer trust are at stake. However, others believe that regulation is necessary to establish minimum security standards and hold companies accountable for shipping insecure products.
Both approaches have their merits. Market forces can drive innovation and competition, leading to better security practices. However, without regulation, there may be insufficient incentives for companies to invest in software security. Striking the right balance between regulation and market forces is a crucial challenge that policymakers and industry leaders must navigate.
Advice for Companies
With the expectation that companies will be liable for the security of their products, it is crucial for organizations to prioritize software security. The following advice can help companies enhance their software security practices:
Invest in Security Training and Automation
Provide developers with hands-on security training to raise awareness of common flaws and how to prevent them. Automation can help streamline security processes and reduce the likelihood of introducing new flaws. By prioritizing both training and automation, companies can significantly improve their software security.
Establish Application Life-Cycle Management
Assign ownership and establish clear processes for maintaining applications throughout their life cycle. This includes deciding how long an application should be in production and regularly assessing its security. By actively managing applications, companies can mitigate the growth of flaws over time and ensure their ongoing security.
Conduct Regular Scans and Use Multiple Analysis Techniques
Perform regular scans to identify and remediate vulnerabilities. Utilize multiple analysis techniques, such as static, dynamic, and software composition analysis, to uncover different types of flaws. Regular scanning and comprehensive analysis can significantly reduce the probability and number of vulnerabilities.
Advocate for Effective Regulation
Engage in the ongoing debate around software security regulation. Advocate for effective regulation that strikes the right balance between accountability and industry innovation. Collaborate with policymakers, industry associations, and other stakeholders to shape regulations that promote software security without stifling innovation.
Conclusion
The release of the National Cybersecurity Strategy marks a significant turning point in the responsibility for software security. Companies can no longer play the victim card and will be held liable for shipping insecure software. It is now imperative for organizations to bring rigor to their software security practices. By understanding the root causes of vulnerabilities, embracing automation and training, establishing application life-cycle management, conducting regular scans, and actively participating in the regulation debate, companies can enhance their software security and contribute to a safer digital ecosystem.
<< photo by fauxels >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Bolstering Defenses: Analyzing the White House’s Cybersecurity Budget Priorities for FY 2025
- Astrix Raises $25 Million: Revolutionizing Secure App-to-App Connections for Enterprises
- The Vulnerability of Drones: Emerging Threats of Electromagnetic Attacks
- US Government Issues Guidelines on Software Security Assurance Standards
- Shipping Secure Software: Exploring the Risks and Rewards of Software Supply Chain Security
- OpenSSF’s Open Source Software Security Initiative Secures $5 Million Funding.
- CryptosLabs Scam Ring: Unraveling the €480 Million Trap for French-Speaking Investors
- Unraveling the Web of Cyberwar: Understanding the Invisible Battlefields
- The Rise of Sophisticated Evasion Tactics: Process Injection Technique Allows Mockingjay to Bypass EDR Tools
- Fortinet Takes Action: Patching a Critical RCE Vulnerability in FortiNAC
