Every year there are a number of vulnerabilities exposed and exploited, but 2014 was bad in terms of software security. In the beginning of the year, Cenzic revealed the latest results from its 2014 Application Vulnerability Trends report and found that a majority of apps have at least one security vulnerability; but it wouldn’t be until a couple of months later that developers would feel the burden of security vulnerabilities.
In April, a bug was discovered in OpenSSL that caused chaos to erupt in the software community. CVE-2014-0160, also known as Heartbleed, could give an attacker access to a site’s secure data and encryption keys protecting that data, and with SSL and TLS at the core of Internet security, developers were left to put out some fires.
Technology giants came together to form the Core Infrastructure Initiative in order to help stop underfunded and understaffed projects from releasing unreliable code. Nokia Solutions and Networks joined the fight with a substantial donation to help the OpenSSL project fight against future vulnerabilities.
Throughout the year, a number of organizations released new versions of their software testing platforms to help developers better find and fight bugs. Trustwave acquired Cenzic in March to enhance its testing platform and help businesses rapidly identify and address their security weaknesses. In May, QASymphony unveiled three tiers of software testing tools to provide testers with the flexibility across different testing scenarios. In June, Coverity announced it revamped its suite of testing solutions to help organizations find and fix critical quality and security issues earlier in the software life cycle. Perforce and Parasoft teamed up on a joint solution to automate code quality processes and enable developers to collaborate on bugs and fixes. In January 2014, Rogue Wave acquired Klocwork for its static code analysis tools that have filled out Rogue Wave’s offering in the secure software market.
The IEEE Center for Secure Design brought the security discussion to security design flaws in August. According to the organization, in order to make sure software is secure, the focus needs to be on design flaws and not just software bugs. To help protect systems, the center came up with a list of the Top 10 security design flaws and some practices for avoiding them.
And just when security researchers thought they could put Heartbleed behind them, the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) issued a warning in September about a vulnerability affecting Unix-based operating systems. The bug, dubbed Shellshock, was found in the Bourne-Again Shell known as Bash and posed a bigger threat than Heartbleed, causing companies to rapidly update their operating systems and issue security advisories.
The year ended with security at the front of developers’ minds, and not just software security, but cybersecurity also. The Electronic Frontier Foundation, and a coalition of technology companies, organizations and researchers, announced a new certificate authority initiative, Let’s Encrypt, to make HTTPS the default encryption and communications protocol across the entire Web. According to the EFF, the current HTTP protocol leaves websites vulnerable to account hijacking, identify theft, surveillance, injection of malicious scripts, and censorship. The initiative is set to launch in the summer of 2015.