3 Activities for Making Software Secure by Design
Criminals and foreign state actors have increasingly targeted our personal data and critical infrastructure services. Their disruption is enabled through vulnerabilities in software whose design and build are inadequate for effective cybersecurity. Most software creators and vendors prioritize speed of release to capture customers quickly with new features and functions, then fall back on a never-ending cycle of post-release patches and “updates” to handle issues such as security. Meanwhile, our data, our homes, our economy, and our safety are increasingly left open to attacks. Automation and interconnection among software systems make software risks hard to isolate, increasing the value of each vulnerability to an attacker. Moreover, the sources of vulnerabilities are increasingly complex and spreading due to an ever-growing supply chain of software components within any product. After code originators are compelled to make a fix, it must trickle into the products that use their software for the security repairs to become effective, which is a time-consuming and frequently incomplete process. Many vulnerabilities remain unrepaired, leaving risk exposure long after a fix is available. Users will not be aware of the risk unless they are closely monitoring their supply chains, but supply chain information is rarely available to users. Commercial systems and software, including open source software, are becoming further interwoven into the systems that control and support our national defense, national security, and critical infrastructure. Their use and reuse reduces costs and speeds delivery, but their growing vulnerabilities are especially dangerous in these high-risk domains. To protect national security, critical infrastructure, and the way we live our lives, the software community must start producing software that is secure by design. To accomplish this shift, the creators, acquirers, and integrators of software and software systems need to change their mindset, education, training, and prioritization of software quality, reliability, and safety. In this blog post, we will look at some key secure-by-design principles, roadblocks, and accelerators.