A case for making software more hack-resistant from the start
With the Internet of Things expanding, security too often gets ignored by software developers
By Byron Acohido, ThirdCertainty
Given the rapid spread of the Internet of Things, it won’t be long until your toaster ties into the Internet. Copy machines already do. So do thermostats, utility meters, cars, refrigerators and medical devices.
If you don’t think the cyber underground is moving to take advantage of flaws in the software that enables IoT, think again. The SANS-Norse Healthcare Cyberthreat Report last year revealed that the networks and Internet-connected devices of organizations in virtually every health care category—from hospitals to insurance carriers to pharmaceutical companies—have been and continue to be compromised by successful attacks.
ThirdCertainty recently sat down with John Dickson, principal at the Denim Group, to discuss the wider implications of how we’ve come to use software. The Denim Group helps organizations assess and mitigate software risks.
Prior to joining the San Antonio, Texas-based consultancy, Dickson served in the Air Force Information Warfare Center (AFIWC) and was a member of the Air Force Computer Emergency Response Team (AFCERT). Here’s what he had to say. (Text edited for length and clarity)
3C: What basic guidance are you espousing about software security?
Dickson: We’re at the front end of software and system development. We help organizations build their systems or software securely the first time. The challenge we’ve had, and it is a challenge across the industry, is you can build a piece of software and publish it without making it resilient to attack. Nobody is going to compel you to test it to make sure that it’s secure and that it doesn’t have defects or vulnerabilities.
3C: Can or should that be done?
Dickson: This is an economic problem and a decision-making problem. How do you make security less discretionary? How do you make it so that people publishing software, specifically, are much more incentivized to ensure that it is resistant to attack?
3C: Aren’t the big tech giants at least moving in that direction?
Dickson: If you look at the ISVs, the Independent Software Vendors, the Microsofts, the Adobes, they are pretty good at that game. They’ve been working on it for perhaps a decade, plus. Then you’ve got the Facebooks of the world and the Big Cloud apps also kind of in there. It’s everything below that that you’ve got to kind of wonder, ‘What are those guys doing? Are they doing the right thing? They’re constantly under attack, so therefore, is the emphasis on security there?’ Our observation is that it’s not. If you go to the second- and third-tier companies across the U.S and internationally, they just simply don’t have the level of rigor.
3C: But that’s the DNA of the software industry. Push out the beta version and let the consumer do the testing for you.
Dickson: What we’re trying to figure out is how do we do more truth-in-lending. Absent an Underwriters Lab for software, how does an organization justify essentially allocating more resources to do a little bit more security work when they’re building the software? Because again, nobody is really going to know until they get dinged, until the software gets exploited.
3C: So you’re talking about a big shift in how software is developed.
Dickson: Our key argument has been that security is a facet of software. It is not unlike any other facet of software. In order to be extensible, in order to work with other things, it has to be designed in a predictable way. It has to be more resilient, not necessarily impervious to hacking, but simply more resilient and thus not likely to fall over at the first probe.
3C: Doesn’t the Internet of Things worsen this dilemma?
Dickson: If you are Maytag—and I don’t mean to pick on Maytag, I don’t know these guys at all —is security really a deep part of their design process if they’re doing the IoT. Or is it a rush to market to put in IoT and say they have an IoT device? They do Underwriters Lab testing to make sure that the appliance doesn’t start a fire. There’s no similar standard out there for software security.
3C: So what lies ahead?
Dickson: There’s no appetite for top-down regulation right now, throughout the country. Unless there’s a spectacular failure and people lost their lives or houses are burned down, I don’t see a compelling rational for regulation, nor is there a political will to do that.
If you go back in history, Underwriter Labs was a response to a lot of toasters catching fire.
Lots of things burned down before Underwriters Lab came out. I don’t want to paint a negative picture, but I do think there’s going to have to be something of an equivalent. It’s too easy right now to field a product that has not been previously tested on the security side and then say, ‘Yup, I have an IoT device.’
More on security:
Security must be part of device design as Internet of Things evolves
When it comes to cybersecurity, gap between IT, boardroom must be bridged
Third-party vendors are the weak links in cybersecurity