The perfect software security illusion

Jamie Grave at Uleska highlights the danger of assuming that any software is free of vulnerabilities

 

According to figures from the National Vulnerability Database, there were almost 22,000 cyber-security vulnerabilities reported in 2021. This was a record number and over 3000 more vulnerabilities than there were reported in 2020.

 

These vulnerabilities varied across their severity and impact, but they provided a world of opportunities for cyber criminals to break into organisation’s networks, perform ransomware attacks, and steal confidential data.

 

The high number of vulnerabilities also further reinforces a message the cyber-security industry has been echoing for many years – no system or piece of software is perfectly secure, and any business that believes in the existence of ‘perfect’ software has fallen into a cyber-security illusion that will be heightening their risk to attack.

 

To put this problem into perspective, a recent analysis from CAST reviewed 278 million lines of developer code and discovered more than 1.3 million vulnerabilities caused by errors and poor code practices.

 

This study highlights that vulnerabilities in software code are rife and when manufacturers do not take steps to monitor, assess and remediate them, they are leaving exploitable holes in their products that could leave their customers at a greater risk of cyber attack, while leaving themselves with significant technical debt.

 

To counter this threat, it is essential that manufacturers and software vendors take steps to monitor and address vulnerabilities before their products reach the market. Not only does this help protect their customers, showing they are a responsible organisation, it also introduces significant cost savings for businesses.

 

According to data from the Cost of Poor Software Quality in the US: A 2020 Report, the quality of software lags behind other objectives in most organisations and this comes at a steep cost. The study suggests that the total cost of poor software quality in the US is $2.08 trillion and that organisations overall are left with $1.31 trillion in technical debt because of the bugs and issues they have to address in software after it has been released.

 

Given these costs and the security risks posed by vulnerabilities, what should manufacturers and software vendors do to improve the security of their products, so bugs can be addressed before they go to market?

 

 

Assess for vulnerabilities

Software vendors and product manufacturers should introduce security checks as early into the software development lifecycle as possible. This allows them to constantly keep track of security vulnerabilities and bugs and address them in tandem with development.

 

Creating a team that can regularly assess and organise a plan to solve vulnerabilities can lead to more effective prevention and better results overall. This group can best evaluate these issues and formulate a strategy that works best for the organisation.

 

Prioritise fixes for vulnerabilities

When vulnerabilities have been discovered, security teams need to assess their significance so they can prioritise patching. By utilising the Common Vulnerability Scoring System (CVSS) they can find the numeric score for each vulnerability based on individual severity.

 

Once this has been done, a team can choose to place the in one of three categories:

 

• Fix any issues that have solutions, whether from pre-existing software patches or mitigating the issue until resolved. Teams should prioritise these for the next step.
• Track issues that are not being resolved currently, regardless of the reason. Teams should document all vulnerabilities that aren’t getting an immediate fix and notating why. This helps for future reviews and to assess threats better.
• Investigate issues that don’t fall into the other two categories. These should be temporary statuses while the vulnerability is investigated to find an optimal solution or a potential false positive.

 

Fix vulnerabilities

Once all vulnerabilities have been identified, it is time to start fixing them and applying patches. Start with the high-severity, most critical vulnerabilities first.

 

Despite perfection being something all humans strive for, researchers and theorists believe it is impossible to achieve in real life. Whether it be drawing a flawless circle, producing perfect lines of code or manufacturing a product without a single defect, they believe it is impossible for something perfect to be created by humans.

 

When thinking about the consequences of this inherent imperfection, they go much further than just denting the human ego.

 

This means all the software businesses rely on every day to carry out critical transactions are all full of flaws and vulnerabilities.

 

To counter this challenge, the responsibility relies with product manufacturers and software vendors who need to take steps to monitor and mitigate vulnerabilities in their products, before they reach their customers.

 

---

 

Jamie Grave is CEO of application security platform at Uleska

 

Main image courtesy of iStockPhoto.com