Make Software Secure Now!

Just for fun I wanted to make the headline to be “Make Software Secure Again”

But when was software secure?

Never, as we assumed it was secure but actually SW was never tested and security problems started as people hacked software and thus it was never secure we were just ignorant or naive in the 80s and 90s.

So if we  decide that we need to make software secure NOW! then what do we have to do?

 

The IT industry has a problem, since one seems to find security holes in almost any software. Let’s face it software-hardware was not built to be secure, it was built to be functional.

 

Let’s go back to this¹:

perfectsecuritynotpossible

Today my ‘updated’ assertion is that collectively “We” have not built secure software with secure hardware and protocols.

risk-security-rightway

The devices that we use are designed to work first as we are more interested in high growth than security.

risk-security-see-saw

So what do we do now on this day 09/07/2016?

Risk has changed in the age of the Internet 2016. If your computer is on the Internet it automatically receives a larger level of risk than you realize.

I think we need to have a different See-Saw equation one where Business needs to see Security as something to add as a matter of fact – but only enough where it is added to review your situation.  We cannot have a ‘low priority security’ method.

This phenomenon is true for firewalls and switches from name brand vendors as well – in fact it is true for all products.  Here is an example:

EXTRABACON exploit  found and then Rapid7¹ research ahows that even with Cisco’s quick release after the publication on 8/17 – there was a week or two (depending on when you patched) that over 50,000 machines were vulnerable.

To be effective this exploit had to have a lot of items in line to be effective for the hacker, thus making this attack a less likely attack (as snmp attacks usually must be done on the network ), but if there are attackers on the network, then they can stay on the network easily.

So there are many questions that come to mind.

Since this SNMP attack was a Zero-day attack how long was this exploit actually known to criminal hackers?

The philosophical question amidst all the vulnerabilities …

Why are there constant new vulnerabilities coming into being?

Many experts have said that the attackers always have the advantage – why is that?

Does our software/hardware really have that many security problems?

The problem is that software is not written with security in mind, only after it is written does an attacker start to think about how to take advantage of it. And apparently this thought process has not been anticipated by the software writers. By “software writers”  unfortunately I mean all software – operating systems, spreadsheets , word processing , Internet of Things, in automobiles, cloud software, and pretty much anything. Especially if connected to the Internet.

 

So let me ask you – why not test the software as it is written? Why not test the devices as they are installed, doesn’t that make sense?

I have tried to make this simple to see with a diagram:

 

systemengineeringassecurity

 

This diagram is actually a simple feedback loop within  system engineering

 

 

 

  1. https://community.rapid7.com/community/infosec/blog/2016/09/06/bringing-home-the-extrabacon
  2. http://oversitesentry.com/do-you-have-a-500barrel-riskgun-or-a-1000barrel-riskgun/
Advertisements