ao link
Business Reporter
Business Reporter
Business Reporter
Search Business Report
My Account
Remember Login
My Account
Remember Login

Playing the software security blame game

Linked InTwitterFacebook

John Smith at Veracode asks whether software providers should be more responsible for security

 

Playing the blame game is often the first port of call whenever a security breach occurs. From the outside, it’s business leaders who tend to take the most public scrutiny for cyber-security incidents, with press and customers alike asking how they allowed this to happen.

 

From there, business leaders turn their attention internally to their IT and security teams and ask the same questions. When a breach occurs, it’s ultimately due to existing security vulnerabilities that should have been identified and addressed earlier; so it’s natural that the blame tends to fall on teams whose main responsibility it is to find these vulnerabilities.  

 

But in recent years, debate has started to shift, with some beginning to question the level of liability that software vendors should hold when a vulnerability in their product is exploited. The idea that more onus should be placed on software providers to put security first has been around for a while, with the House of Lords even recommending holding software vendors accountable back in 2007.

 

But with high-profile breaches now seeming to happen on a weekly basis, such as the Log4j exploits or the CitrixBleed attacks, questions are being asked. It’s often claimed that an emphasis on blaming individual user errors and company decisions for breaches has permitted a culture of persistent security flaws, allowing spiralling security debt (which refers to any vulnerability left unfixed for more than a year) to take hold. 

 

There is much work to be done to improve the state of software security, but it isn’t a matter of blame. Rather, this is an opportunity for vendors to rise to the challenge, prove they are dealing with security vulnerabilities, and act with their customers’ best interests in mind.

 

But where should they begin? The answer lies in proactively reducing security debt.  

 

 

Keeping up the positive momentum

When looking at the progress software developers have made when it comes to addressing flaws, we can see that they are certainly stepping up to the challenge. Our recent State of Software Security Report showed some positive signs, with the prevalence of high-severity flaws reported by businesses having dropped to half of what it was back in 2016.

 

Persistent issues, however, still haunt many organisations. Ther first concern is that more than 70% of organisations are still grappling with security debt – a worrying statistic given how much more susceptible an organisation is to breaches with unaddressed vulnerabilities. 

 

A deeper dive into the statistics shows this could be even more worrying than it appears at first glance. Almost half (46%) of organisations have persistent, high-severity flaws that constitute critical security debt, whilst only 35% of teams demonstrate a sustained capacity to eliminate all critical security debt.

 

If software providers really are to step up to the challenge and solve these security issues, they need to develop a strategy that prioritises reducing security debt for organisations using their software. 

 

 

How can vendors reduce risks 

Software providers play a pivotal role in shaping the security landscape, and as the complexity of threats continues to evolve, their responsibility in mitigating risks becomes increasingly crucial. The most important thing is for vendors to address risk prioritisation and scalability. Good risk prioritisation processes allow software providers to focus on addressing critical vulnerabilities efficiently, and minimise the likelihood of breaches and associated security debt.  

 

Scalability is also essential – software providers need to be able to adapt and respond effectively to varying levels of demand and complexity within their security initiatives. That way, they can put themselves in the best position to respond swiftly and adapt to emerging threats, as well as optimise their resource allocation and focus their efforts on the most critical areas.

 

All this combined will help vendors reduce risks of breaches within their software, minimise organisational security debt, and enhance their ability to protect customers and safeguard their reputation by instilling confidence in their security measures.  

 

The security landscape is increasingly difficult to navigate. With threats from new technologies becoming ever more pervasive and complex, it’s increasingly important to prioritise software security. Yes, organisations must hold themselves accountable for safeguarding their digital assets, and internal scrutiny is necessary to address vulnerabilities effectively.

 

However, as the landscape evolves, so too must our approach to accountability. This shift isn’t about assigning blame; it’s an opportunity for vendors to demonstrate their commitment to security and contribute to a safer digital ecosystem.

 

As we navigate the complexities of cyber-security and aim to reduce security debt across the board, collaboration, accountability, and proactive risk mitigation will be essential for a secure and resilient future. 

 


 

John Smith is EMEA CTO at Veracode

 

Main image courtesy of iStockPhoto.com and solarseven

Linked InTwitterFacebook
Business Reporter

Winston House, 3rd Floor, Units 306-309, 2-4 Dollis Park, London, N3 1HF

23-29 Hendon Lane, London, N3 1RT

020 8349 4363

© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543