top of page
Search

The BIGGEST Hole in Cybersecurity — Software!

  • doswebdev
  • Sep 10, 2024
  • 4 min read

Updated: Sep 23, 2024



I have worked for many years to promote cybersecurity in my projects and teams, training and getting certified myself as a Certified Information Systems Security Professional (CISSP) and leading many of my employees and associates to achieve similar credentials. We hold study groups, make frequent presentations, establish procedures and write documentation all for the purpose of ensuring the security of our software. Certainly, our teams have been evolving, but it takes a lot of effort, and we are all pulling together.

That's why it blows me away when I meet with employees of other companies, and they are completely clueless when I talk about security! A few have heard about the need for generating keys and certificates. SQL injection and cross-site scriptiong sound vaguely familiar, but ask anyone to explain these items, and...conversation over. Just forget about anyone in software development holding any sort of cyber certification on any level! Thus, every time I have hired a new developer, we start from scratch in training and certifying them for cybersecurity.

Cybersecurity in the Software Industry

I know the lack of cybersecurity is not universal in the industry, and I have heard of other companies that put a lot of emphasis on it. Adobe, for example has pioneered their own efforts in recent years to become a powerhouse in cybersecurity, with efforts such as the Adobe Secure Product Lifecycle (SPLC), the Adobe Secure Engineering Portal, the Adobe Product Security Incident Response Team (PSIRT), and my favorite, the Adobe Bug Bounty Program. It's hard to believe that 20 years ago Adobe was so prone to being hacked that I had to make up a special email address to give them because of all the dark-web spam it would produce.

But Adobe is an outlier. There is a lot of evidence that shows how out of touch the software industry is with regard to cybersecurity:

  • A report by Veracode found that approximately 80% of EMEA (Europe, Middle East, and Africa) software applications contain at least one vulnerability, and 20% have "high severity" flaws.

  • A report by Synopsys found that 28% of respondants said their organizations take as long as three weeks to patch critical security risks/vulnerabilities in deployed applications. Another 20% said it can take up to a month, even as most exploits appear within days.

  • A Cybersecurity Ventures report predicts that global cybercrime costs will grow by 15% per year over the next five years, reaching $10.5 trillion USD annually by 2025. This highlights the ongoing consequences of insufficient cybersecurity measures across industries, including the software sector.

Maturity of the Cybersecurity Industry

At the same time, we know that cybersecurity as an industry is well established, regardless of how individual software companies participate in it.

  • Global cybersecurity market gross is projected at $185.7 billion in 2024 and is projected to reach $271.9 billion by 2029, according to Statista.

  • Organizations like NIST, ISO, and COBIT have established industry standards and guidelines for cybersecurity practices, indicating the field's maturity and stability.

  • Well known professional organizations dedicated to cybersecurity, such as ISACA, (ISC)², CompTIA and ISSA, support the industry through research, education, certification, and collaboration.

  • More than 200 colleges and universities in the U.S. alone offer undergraduate and graduate programs in cybersecurity.

  • Governments worldwide have established cybersecurity agencies and standards of governance, including established initiatives and regulatory frameworks to improve national cybersecurity postures.

It's about Culture

So the big question is WHY? Why don't software companies, teams, and developers take cybersecurity more seriously? I read things like awareness and training, time and resource constraints, and lack of enforcement, and these factors all contribute. To me it's a matter of our underlying culture.

  1. All developers are problem solvers at heart. They just want to focus on one issue, one ticket at a time, and they don't want complications. Things like testing are important, but they prefer to have testers take care of that for them.

  2. Most developers feel the frameworks (like MVC, Drupal, Laravel, Rails, etc.) are supposed to take care of security concerns by default. It's true that most frameworks all have security built in, there's no such thing as comprehensive security coverage in any framework.

  3. To many developers, cybersecurity is most often considered IT's responsibility, and development is totally separate from IT. Do you remember Mordac, the Preventer of IT Services from the Dilbert cartoon strip? That character was funny because it represented the neverending conflict that exists between IT an Development, often in the name of security.

IT Culture

So it's not just the culture of development that causes issues. IT culture is just as much to blame. And yes, I am saying that software development is separate than IT, because although IT thinks development is a subset of what they do, developers see IT as completely separate.

  1. Most cybersecurity standards and frameworks were written and developed by IT professionals, not developers. Such is evident by the language and nature of the standards. How many years did it take for the Department of Defense to add an Application Development STIG, much more the STIGs for coding languages, application hosting platforms and non-Oracle application databases.

  2. Security audits are considered an IT function by auditors, ISSOs and ISSMs which are usually non-development IT personnel. I have personnally participated in multiple annual audits where the only STIG being audited was the Oracle Database, while the servers and applications where entirely ignored.

  3. IT professionals often believe they know all about development and try to set standards based on their limited perspective. I have often been amazed at the number of IT guys interviewing for development jobs who have little or no programming experience, no understanding of object-oriented coding or design patters, no experience in version control and hardly a modicum of command line ability.

Conclusion

While I acknowledge the opposing cultures of IT and development, I don't agree with the results. Once upon a time we all thought that DevOps would unite these two tribes. While proper use of DevOps, especially DevSecOps can connect development and IT, such is not at all universal.

We need to set aside our egos and seek for unity on an organizational level. We need developers and development teams to acknowledge security and their connection with IT, and we need IT to graciously acknowledge the right of development to exist in their separate way of doing things — then we can bridge the DevOps gaps and work together to ensure safe and secure software.

~ Tom/*

Commenti

Join our mailing list

  • Black Facebook Icon
  • Black Twitter Icon
  • Black Pinterest Icon
  • Black Flickr Icon
  • Black Instagram Icon

Copyright © 2024 The OGDEN Group. All rights reserved.

bottom of page