When I look at the time, money and resources used to protect digital assets I start to wonder as many executives do when are we going to see a turning point or a ROI?
While the problem is complex, I believe the lowest common denominator is software and more specifically the lack of time we spend testing and analyzing it prior to shipment. With many companies in a race to get to market; security and privacy is always the last thing that is considered. Many believe it gets in the way of productivity. If you want to see a disaster happening look at all the IoT solutions with little consideration to security and privacy. Then consider all the data breaches that have happened recently. Many of these data breaches were the result to someone taking advantage of bad code to get access using an insider.
As we continue to develop substandard code, we then spend billions on security technologies in an attempt to protect it. It seems crazy when you thing about it this way. You cannot protect flawed software, it is near to impossible because without user training and detection systems there is no one to deal with signs that a system has been compromised.
I also look at how over 20+ years the expectations of software developers has changed considerably. When I first started my career I did LOTs of programming. We did not have the Internet to provide us code samples, we had to learn the language and its nuances. We also had constraints on HW given the cost of memory and systems back in the day. You had to write good clean code.
Today, many developers when they hit a snag they will search Google and perform a CTLR-C + CTRL-P…..problem fixed. In the old days we used to have structured walk-throughs and spend more time in design to figure out the code logic. Today, programmers will use 3rd party libraries and SDKs without any consideration to security implications. Specifically, where did it come from and who has touched it.
So how do we fix this mess. Well with small steps and change our mindset to how we consider software in our society. Namely, we have to do the following:
- Make security part of our companies and organizations. Using an ISMS provides the basis for this regardless of the widget you build. Every company is different and will have to cater their ISMS to their specific risk profile.
- Once done you need to determine how you build your widget. This requires the use of a SDLC to identify the threats to the widget and how you plan to dispose of all the data that this widget might collect over its usable life. These need to be fully understood prior to every writing a line of code and document, document and document. These become audit-able elements later in the life of the widget. They also serve as education material for new team members as the team grows and changes.
- As the first versions of the widget are created they need to be evaluated to ensure the identified threats are sufficiently addressed. Spending this time now will save you costs down the road…..trust me.
- Prior, to production release, ensure the widget gets a final assessment to ensure all risks are known including residual risk(s).
- When the widgets are in-field they need to be monitored for signs that they have been targeted for compromise. The process for this would be been created under your ISMS and will drive how your organization will handle these reports.
- If these are reported it is important to evaluate them and if deemed relevant then address them as possible. If you designed your widget correctly it will have a method to perform in-field updating. This includes notify users of the update.
- At this point, you just need to repeat this process for every revision of the widget. As the company changes you will have to ensure the ISMS is updated to deal with growing nature of your business operations.
Only by addressing the current approach to software development can we reduce the current risk landscape to all businesses, consumers and government who use this vulnerable software. With vulns being found and not disclosed they are the nuggets that are used by the digital underground to prosper. Fixing software will help reduce the targets so your widget is not targeted but your competitors is. Let a secure cost effective widget be your competitive advantage.