If there was one word that could best sum up the software security situation in 2014, it would be “Egad!” With major enterprises like Target, Home Depot and Sony getting not just hacked but completely compromised in 2014, what hope do smaller firms have at keeping the attackers at bay?
Fortunately, things are already looking up for 2015. For starters, the Electronic Frontier Foundation has stepped up to solve a problem that the Internet has faced since the first dot-com bubble: security certificates.
For years, Internet graybeards have complained that security certificates are somewhat meaningless, considering the only requirement to get one is having the money to pay for one. Add to this the fact that OpenSSL was compromised in 2014, and you’ve got a recipe for the entire security infrastructure of the Internet being broken.
But the EFF’s Let’s Encrypt non-profit, launching in 2015, will be giving away security certificates for free. This will eliminate the excuse many non-encrypted sites have right now: lack of funds to buy certs. It will also eliminate the common problem of certs expiring when funding runs out, or when a company is acquired, or any of the thousands of other reasons corporations have for putting off the updating of their certificates. If they no longer need a purchase order, they no longer need to wait in someone’s inbox.
Another upside to the current security situation is that some of the solutions coming out of this past year are seriously powerful ways to solve problems. From using log aggregators like New Relic, Sumo Logic, Crittercism or Log.ly to pinpoint mass-coordinated attacks, to some new practices for open-source software, software firms are finally waking up to the fact that security isn’t an afterthought or someone else’s responsibility.
That’s why some firms are recompiling tools like OpenSSL, and removing any code that they do not explicitly use. Others, meanwhile, are writing their own tools to block security holes, instead of waiting around for patches. It’s time to get active about security.