A case for making software more hack-resistant from the start

With the Internet of Things expanding, security too often gets ignored by software developers

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Giv­en the rapid spread of the Inter­net of Things, it won’t be long until your toast­er ties into the Inter­net. Copy machines already do. So do ther­mostats, util­i­ty meters, cars, refrig­er­a­tors and med­ical devices.

Relat­ed: Health care data at risk: Inter­net of Things facil­i­tates health care data breaches

If you don’t think the cyber under­ground is mov­ing to take advan­tage of flaws in the soft­ware that enables IoT, think again. The SANS-Norse Health­care Cyberthreat Report last year revealed that the net­works and Inter­net-con­nect­ed devices of orga­ni­za­tions in vir­tu­al­ly every health care category—from hos­pi­tals to insur­ance car­ri­ers to phar­ma­ceu­ti­cal companies—have been and con­tin­ue to be com­pro­mised by suc­cess­ful attacks.

John Dickson, Denim Group principal
John Dick­son, Den­im Group principal

Third­Cer­tain­ty recent­ly sat down with John Dick­son, prin­ci­pal at the Den­im Group, to dis­cuss the wider impli­ca­tions of how we’ve come to use soft­ware. The Den­im Group helps orga­ni­za­tions assess and mit­i­gate soft­ware risks.

Pri­or to join­ing the San Anto­nio, Texas-based con­sul­tan­cy, Dick­son served in the Air Force Infor­ma­tion War­fare Cen­ter (AFIWC) and was a mem­ber of the Air Force Com­put­er Emer­gency Response Team (AFCERT). Here’s what he had to say. (Text edit­ed for length and clarity)

More: Pro­tect­ing the Pro­tec­tor: Keep your Client Files Secure and Employ­ees Safe from a Breach

3C: What basic guid­ance are you espous­ing about soft­ware security?

Dick­son: We’re at the front end of soft­ware and sys­tem devel­op­ment. We help orga­ni­za­tions build their sys­tems or soft­ware secure­ly the first time. The chal­lenge we’ve had, and it is a chal­lenge across the indus­try, is you can build a piece of soft­ware and pub­lish it with­out mak­ing it resilient to attack. Nobody is going to com­pel you to test it to make sure that it’s secure and that it doesn’t have defects or vulnerabilities.

 3C: Can or should that be done?

Dick­son: This is an eco­nom­ic prob­lem and a deci­sion-mak­ing prob­lem. How do you make secu­ri­ty less dis­cre­tionary? How do you make it so that peo­ple pub­lish­ing soft­ware, specif­i­cal­ly, are much more incen­tivized to ensure that it is resis­tant to attack?

3C: Aren’t the big tech giants at least mov­ing in that direction?

Dick­son: If you look at the ISVs, the Inde­pen­dent Soft­ware Ven­dors, the Microsofts, the Adobes, they are pret­ty good at that game. They’ve been work­ing on it for per­haps a decade, plus. Then you’ve got the Face­books of the world and the Big Cloud apps also kind of in there. It’s every­thing below that that you’ve got to kind of won­der, ‘What are those guys doing? Are they doing the right thing? They’re con­stant­ly under attack, so there­fore, is the empha­sis on secu­ri­ty there?’ Our obser­va­tion is that it’s not. If you go to the sec­ond- and third-tier com­pa­nies across the U.S and inter­na­tion­al­ly, they just sim­ply don’t have the lev­el of rigor.

3C: But that’s the DNA of the soft­ware indus­try. Push out the beta ver­sion and let the con­sumer do the test­ing for you.

Dick­son: What we’re try­ing to fig­ure out is how do we do more truth-in-lend­ing. Absent an Under­writ­ers Lab for soft­ware, how does an orga­ni­za­tion jus­ti­fy essen­tial­ly allo­cat­ing more resources to do a lit­tle bit more secu­ri­ty work when they’re build­ing the soft­ware? Because again, nobody is real­ly going to know until they get dinged, until the soft­ware gets exploited.

3C: So you’re talk­ing about a big shift in how soft­ware is developed.

Dick­son: Our key argu­ment has been that secu­ri­ty is a facet of soft­ware. It is not unlike any oth­er facet of soft­ware. In order to be exten­si­ble, in order to work with oth­er things, it has to be designed in a pre­dictable way. It has to be more resilient, not nec­es­sar­i­ly imper­vi­ous to hack­ing, but sim­ply more resilient and thus not like­ly to fall over at the first probe.

3C: Doesn’t the Inter­net of Things wors­en this dilemma?

Dick­son: If you are Maytag—and I don’t mean to pick on May­tag, I don’t know these guys at all —is secu­ri­ty real­ly a deep part of their design process if they’re doing the IoT. Or is it a rush to mar­ket to put in IoT and say they have an IoT device? They do Under­writ­ers Lab test­ing to make sure that the appli­ance doesn’t start a fire. There’s no sim­i­lar stan­dard out there for soft­ware security.

3C: So what lies ahead?

Dick­son: There’s no appetite for top-down reg­u­la­tion right now, through­out the coun­try. Unless there’s a spec­tac­u­lar fail­ure and peo­ple lost their lives or hous­es are burned down, I don’t see a com­pelling ratio­nal for reg­u­la­tion, nor is there a polit­i­cal will to do that.

If you go back in his­to­ry, Under­writer Labs was a response to a lot of toast­ers catch­ing fire.

Lots of things burned down before Under­writ­ers Lab came out. I don’t want to paint a neg­a­tive pic­ture, but I do think there’s going to have to be some­thing of an equiv­a­lent. It’s too easy right now to field a prod­uct that has not been pre­vi­ous­ly test­ed on the secu­ri­ty side and then say, ‘Yup, I have an IoT device.’

More on security:
Secu­ri­ty must be part of device design as Inter­net of Things evolves
When it comes to cyber­se­cu­ri­ty, gap between IT, board­room must be bridged
Third-par­ty ven­dors are the weak links in cybersecurity


Posted in Cybersecurity, Data Security, Featured Story, Q&A