Software Security Is National Security

Last month, the Cybersecurity Think Tank of the Institute for Critical Infrastructure Technology in the U.S. published a paper, Software Security Is National Security, highlighting conversely, that a lack of software security is a national threat. It explores systemic problems in the software security landscape and why the U.S. must replace irresponsible practices with a culture of institutionalized security.

In my view, this paper is a must read and the recommendations made therein should be followed by security practitioners of all nations. Here are the highlights, along with some of the related observations (in italics) that I made earlier and which is why this paper resonated well with me.

1. Software Security although a higher priority remains an afterthought: The vast majority of organizations are still not doing their due diligence to ensure that exploitable vulnerabilities are not present in the software that they release. An estimated 84% of security breaches exploit vulnerabilities at the application layer. A year and half ago, I shared my concerns about this, citing a research study which revealed several security flaws in mobile apps from some of the world’s largest banks and used by millions of users. It was rather interesting to note then that the developers of these apps were conscious about security but did not know how to implement the exact security features correctly.
2. Software Liabilities: Using Microsoft and Apple as examples, this paper points out how software vendors do not bear liability for vulnerabilities in their products and how hundreds of pages of legal jargon is intentionally written to absolve them of legal liability by shifting it to the users and to dissuade users from having notice and choice concerning their data or from making an informed purchasing decision.
3. Patching: The paper makes a strong argument on how patching is a retroactive and defensive practice that ensures that software security is determined by malicious digital threat actors, instead of by developers or their clients. A good example was seen earlier this week, when a security vendor urged users to roll back Microsoft's recent patch, if they wanted their PC to boot.
4. Open Source: Although Open source solutions are a viable option, the paper points out that most organizations lack the ability to verify the integrity of the code and the resources required to maintain and secure it. Discovery of vulnerabilities in these solutions spread fast, as they are public by definition, which further exacerbates the problem. A year ago, I shared how repeated coding mistakes in open source led to a 51 percent attack on cryptocurrency.
5. Cultural Renaissance: Finally, the paper calls for a cultural renaissance in software security by encouraging the use of frameworks (NIST SP 800-37, 53, 64, 160), evaluation tools (SAMATE, OASIS SARIF) and implementation and coding guidelines (from DoD and OWASP). The paper also recommends correcting the course of negligent software development by enforcing security by design, by evaluating the quality of code, by not buying into the myth that security stymies innovation and that software development cannot be regulated, and ponders whether CEOs should be liable for breaches, and legislation regarding supply chain risk. A year ago, I reflected upon quality as the missing “backbone”, which if built as the number one priority can help drive cybersecurity strategies successfully. I also shared my views then on raising the bar on cyber resilience and maturity by tightly aligning with regulations and NIST cybersecurity frameworks.

CC-BY Viren Mantri, 2019, licensed under a Creative Commons Attribution 4.0 International License.

Disclaimer: All views expressed here are entirely mine.