After reporting out this month’s feature on software security, it strikes us that there appear to be parallels between companies selling security solutions and those selling pharmaceuticals.
Those who take to conspiracy theories have argued for years that the pharmaceutical companies have no incentive to eliminate, say, cancer, because they would lose the massive profits generated by the drugs they’ve created that prolong life. Actually curing the disease would dry up their revenue streams, and we know investors would not take kindly to that.
(Related: OpenSSL’s massive security audit)
So it seems with software security. As Gartner analyst Joseph Feiman pointed out for our article, identity access management is 45 years old, and network protection (firewalls) is 30 years old, and yet together they don’t succeed in stopping unwanted intrusions into applications and their back ends. But the vendors keep selling—nay, pushing—them because there’s nothing better right now.
The vendors, Feiman told editor-in-chief David Rubinstein, “keep adding new features, tweaking here and there, saying, well, now it will do much better, now it will do much better. And because we don’t know anything else, we’ll do it.”
And apparently it doesn’t get better. Ask Sony. Ask the United States government. Ask any of the victims of the Heartbleed hack, or those who’ve fallen prey to hackers exploiting other vulnerabilities.
John Steven, CTO at testing and security company Cigital, said there’s a bit of a “moral hazard” in the security space. He noted there are libraries such as Mustache and Caja and even AngularJS that are freely available to companies to use, yet, he said, “The reason you’re not hearing about them is that if you run a testing firm, there’s not a lot of incentive for you to explain that there’s a freely available open-source package that works for PHP, Java, .NET, JavaScript, Python—all the things you use—that just makes this class of things we’re really good at finding go away.”
Yet security leaks do cause real pain, and organizations are at their wit’s end to get the upper hand.
One way is to look at the Building Security In Maturity Model, designed to measure your software initiatives against those of others. It’s not prescriptive, but it does reveal what organizations are doing to close holes in their software.
Tooling needs to catch up to the problem as well, and developers need to be better trained to work alongside security practitioners to ensure the code they write is secure as they go along, and not looked at only after it’s completed. Also, certificates are still effective. Use them, along with SSL and encryption.
We will never defeat hackers. As noted in our article, the good guys have to get it right all the time to avoid being hacked. The bad guys only have to find one hole. The advantage is theirs.