The world of consumer electronics increasingly requires patches and software updates, but a major concern is that this problem is wider than just the next big video game or smartphone. The U.S. military’s fifth-generation F-35 Lightning II stealth fighter has seen its Technology Refresh-3 upgrade drag on for more than a year, and the issue was so great that the Pentagon put a hold on accepting new aircraft until the problem was resolved.
Only recently was a compromise reached where a truncated version of the TR-3 was introduced, but it will mean those F-35s being delivered will require an upgrade in the not-too-distant future. But it will be delivered differently than the latest Windows patch, and that could mean some aircraft will be grounded for weeks.
The issue of not-quite-ready for prime-time software resulted in the head of the Cybersecurity and Infrastructure Security Agency calling for major changes. At last week’s Black Hat security conference in Las Vegas, Jen Easterly told attendees that there need to be changes in how developers build software.
“We have a multi-billion dollar cybersecurity industry because, for decades, technology vendors have been allowed to create defective, insecure, flawed software,” Easterly said in her remarks.
She further suggested it may be up to lawmakers to introduce legislation that could require the industry to take better ownership of the software it writes.
“Congress can also have a transformative impact by establishing a software liability regime with an articulable standard of care and safe harbor provisions for those vendors that innovate responsibly, prioritizing secure development processes,” said Easterly.
Challenges Lie Ahead
While some code is upgraded to address new hardware changes and enhancements, the root of the problem is often the planned release schedule. In the consumer world, too often this means release now, patch later.
“Jen Easterly is absolutely correct; according to most cybersecurity researchers I interview, we have a software quality problem. It has become too easy to make things,” warned Evan Dornbush, former NSA cybersecurity expert, and host of the podcast Hackers On The Rocks.
Dornbush told ClearanceJobs that many web developers don’t even know what HTML – the “language” of web pages – is, while many product developers use ‘no-code’ abstraction technologies to build apps.
“With each new layer of surface-level simplicity for builders, comes an iceberg of complexity for maintainers,” said Dornbush. “There will always be crafty researchers who come up with slick and novel techniques to compromise technology. However, the volume and velocity of public bugs don’t align with cutting-edge research. Rather, rush-to-market efforts expose unacceptable practices.”
The pace of code being developed also means that issues can be buried deep, and it becomes a problem waiting to happen.
“For organizations with a large number of software developers creating code for internal use, the pace is relentless, with new builds often being pushed into production multiple times a day to meet business and client demands,” explained Stephen Gates, principal security subject matter expert in application security test (AST) at cybersecurity provider Horizon3.ai. “This rapid deployment cycle forces them to make real-time decisions on which vulnerabilities can be fixed and which must be deferred due to time constraints.”
Too Much Acceptance
As the world becomes ever more connected, there has also been too much acceptance of flawed costs, as noted by last month’s CrowdStrike update that crashed computer systems worldwide.
“Vulnerable software or code is a common issue. Ethical hackers commonly find vulnerabilities in web applications to gain footholds in servers during penetration tests to access computing environments. Some of the reasons for these security flaws are software being developed too quickly and not adhering to secure coding standards, and being not tested, or suboptimally tested,” said Phil Wylie, offensive security expert at Horizon3.ai.
“Bugs and bad code are both known issues,” Wylie told ClearanceJobs. “Bad code is a direct effect of bad coding and software security practices. Bad code is a side effect of bad coding and software security practices. Third-party models, application servers, and development languages can have vulnerabilities too, which affect the software making it vulnerable.”
Software is Part of Security
Too often, cybersecurity is seen as a different entity from software – but the two go hand-in-hand. Properly developed software could help mitigate security vulnerabilities.
“Too many people in the industry think cybersecurity is separable from the software base like it is something you can paste on at the end of a build,” suggested Dr. Jim Purtilo, associate professor of computer science at the University of Maryland.
Nothing could be further from the truth, he told ClearanceJobs, adding that security is one of the several important ingredients that need to be baked into the cake.
“Today’s prevalence of flawed software products stems in part from the idea that you can promote cybersecurity in isolation since higher education has squeezed traditional software engineering programs to favor trendy cyber offerings,” Purtilo continued. “We just don’t prepare young software engineers as in the past, and for this blame campus administrators who are keen on marketing new tracks. They prioritize lab resources and hiring in pursuit of the shiny cyber label, and meanwhile, there is less for those of us who research and teach the enduring practices that promote quality. If you learn how to design for quality, then it is not a hard stretch to ensure security as well; the best investment in cybersecurity would be to flesh out solid software engineering programs again.”
Addressing the Issues
Legislation may not be the answer, even as Easterly called upon lawmakers to take up the issue. It may instead come back to education.
“These vulnerabilities can be reduced by implementing secure coding practices,” said Wylie. “Secure coding is not typically part of developer education programs or degrees. Educated developers along with implementing secure coding practices, and making security part of the software development lifecycle (SDLC). Security testing and penetration testing should be part of the SDLC. Supply chain vulnerabilities can be a risk to your software, so testing third-party modules and integrations is very important, you can be secure, but third-party resources can present vulnerabilities that could be leveraged by threat actors.”
And it may be money that solves the problem, added Purtilo.
“A second reason for so many flawed software products is a simple market reality: nobody really pays for quality,” he noted. Computation has been such a growth industry that software companies learned what pays is first to market, not best to market.
“Take the time to bake in better properties and, maybe, another company locks up money that was on the table. The incentive is thus to build fast, delivery first, drop the product before it gets expensive to maintain, and move to the next product,” said Purtilo. “If the market held out for products that could be sustained then it would be a different story. Developers would have to figure out how to build in a way that won’t bankrupt them later with bug fixes and data breaches. No pledge ‘gosh, we promise to build better’ is meaningful when a buyer has money in their hand and says they need a product right now.”
