The SolarWinds and Colonial Pipeline hacks have brought security to the fore of software development. Once again.
And again, our “thoughts and prayers” go out to the customers of those companies, and the companies themselves, harmed by the attacks.
I say this because, not unlike the mass shootings that plague America — and please, do not mistake this metaphor as conflation of killings and software breaches — we seem unable to get a handle on either.
In both cases, I place the blame at the feet of the industries. Clearly, the gun industry has a vested interest in the proliferation of weapons, despite the human cost. In software, our industry has an interest in giving people the tools they need to move more quickly, pounding the business users of their platforms and tools with messaging that if they don’t deliver software more quickly, fickle humans will simply leave the store they love for another whose website responds a couple of seconds more quickly, or who can deliver a package to your doorstep a few hours sooner.
Some might call this heretical, or biting the hand that feeds us. That is not what this is meant to be. I am awed by the changes I’ve seen covering this industry for more than 20 years. Back then, who could have even envisioned the cloud, Kubernetes, edge computing or Infrastructure as Code?
Yet for all the advantages the cloud provides, we never saw the kinds of damaging hacks and data losses we’re seeing today when applications were run in on-premises data centers, behind firewalls and with code that didn’t rely on calls to so many outside services, so the attack vectors were minimal. Ransomware? Millions of social security numbers and credit card numbers stolen? Unacceptable, and almost completely preventable, if our industry took security as seriously as it does speed to market.
There’s a reason cross-site scripting and SQL injection remained on the OWASP Top 10 list of application vulnerabilities for over a decade — organizations see security as a necessary evil, not as their first priority. Security — like overall software testing — slows delivery. Meanwhile, the “bad actors” on the other side have made breaking into applications and systems their top priority — it is, in fact, their reason for being. In the Colonial Pipeline hack, they had 4.4 million good reasons to hold the energy pipeline hostage.
What we need to do to curb this damage requires a reset of priorities. Security must be the key consideration for all software releases. Not something to merely be “shifted left,” adding to the list of things developers have foisted upon them, without the necessary knowledge and training to do it effectively. We’ve put the speed cart before the security horse, and it’s costing society in a big way.
I cannot argue against many of the benefits of speed and agility to organizations. Being able to deliver new features quickly based on customer requests and user data are important for any business. But when quality suffers through insufficient testing, and when security suffers due to a lack of diligence, that more than offsets the gains that speed offers.
The Colonial Pipeline attack alone has caused large portions of the Eastern Seaboard to not have gasoline available, and where it can be bought, the price has gone up by nearly a dollar a gallon in some places.
Some have again called on the government to take the lead on cybersecurity on our vital infrastructure. This column once voiced support for that idea, when data leaks and identity theft first began to occur. Yet, federal efforts to control gun violence — or even to prevent foreign governments from interfering in our elections — show they will not be able to handle this crisis either.
No, it is up to our industry to change the notion that security is some necessary evil to which lip service is paid so the speed of innovation isn’t impeded. Perhaps, it’s because software breaches usually only result in monetary losses, and — unlike the gun industry — not human lives. Perhaps, like the culture changes required to implement many of the new processes created for software development, efforts on security require even more time and concerted effort to achieve.
Yet, I remain optimistic security initiatives being put in place today can result in slowing the invasion of our systems and stanching the bleeding of data. It will take a renewed commitment to make security the highest priority in software delivery