Cyber Necessity: Stopping companies from selling insecure software

"We must begin to hold software companies accountable for such vulnerabilities"

From Marc Maiffret, New York Times: Too much of the debate begins and ends with the perpetrators and the victims of cyberattacks, and not enough is focused on the real problem: the insecure software or technology that allows such attacks to succeed. Instead of focusing solely on employees who accidentally open e-mails, we should also be pressuring software makers to make significant investments in their products’ security.

When you read headlines about the latest cyberattack, you typically do not hear about how attackers were able to put a virus or other malware on a system in the first place. In many cases, it begins with attackers exploiting a software vulnerability or weakness in order to install their malware.

The unspoken truth is that for the most part, large software companies are not motivated to make software secure. It’s a question of investment priorities: they care more about staying competitive with their products, and that means developing the latest features and functions that consumers and businesses are looking to buy. Security issues are often treated more as a marketing challenge than an engineering one.

A result is an open door to hackers inside some of the world’s most popular software systems. Perhaps most famously, during the early to middle parts of the last decade, hackers discovered a significant number of glaring security weaknesses in Microsoft products (some of which were discovered by my company). Several of these weaknesses were exploited in high-profile computer virus and worm attacks.

To be fair, securing software is not a trivial task. Often it means building in multiple barriers to entry and keeping those defenses current with the latest developments in hacker techniques. Security has to be a central and significant investment in any software development project.

Still, given the heightened impact of recent attacks on both corporate and government operations, we must begin to hold software companies accountable for such vulnerabilities. . . .

A lot of the talk around cybersecurity has centered on the role of government. But investing in software security and cooperating across the software industry shouldn’t take an act of Congress. It will, however, take a new mind-set on the part of developers. They should no longer see security as an add-on feature, nor should they regard holes in their competitors’ security efforts as merely a competitive advantage. As the world comes to depend more and more on their products, it should demand nothing less.

Marc Maiffret is the chief technology officer of BeyondTrust, an enterprise security management company.  (graphic: Minnesota Department of Public Safety)

Image: mn%20dps%204%205%2013%20cybersecurity1.jpg