A Transformational Shift in Software Security: Companies Will Soon Bear Responsibility for Insecure Software
In the world of software security, we are currently experiencing a significant transformation. Gone are the days when companies could play the victim card and avoid accountability for insecure software. With the release of President Biden’s National Cybersecurity Strategy, the landscape is changing, and organizations will soon be held liable for the vulnerabilities present in their software.
The National Cybersecurity Strategy, created by President Biden’s administration, is aimed at securing the benefits of a safe and secure digital ecosystem. One of its primary focuses is on software security and determining who should bear the responsibility for the security of software products. The strategy emphasizes that markets often fail to impose sufficient costs on entities that introduce vulnerable products or services. As a result, it calls for greater liability for organizations that ship insecure software.
Irrespective of the ongoing debate between regulation and market forces, it is difficult to argue against the strategy’s implicit assertion that insecure software is pervasive. As security professionals, it is our responsibility to understand why insecure software is so prevalent and how we can address this issue. The introduction of this plan means that software security will cease to be a mere luxury; companies will be held liable for the security of their products. It is, therefore, crucial to bring rigor to software security.
One of the primary reasons for the existence of insecure software lies in the flaws introduced during the coding process. It is important to establish a clear understanding of the terminology used in this context. A “flaw” refers to an implementation defect present in the code, which can result in a “vulnerability.” A vulnerability is a weakness within the software code that can be exploited by attackers. Over time, these flaws accumulate, leading to a concept known as “security debt.” Security debt has played a significant role in the rise of DevSecOps, which involves integrating security throughout the software development life cycle.
Veracode’s latest “State of Software Security” research report delved deep into the factors contributing to the introduction of flaws. The report analyzed data from over 750,000 applications using static analysis. The findings revealed that irrespective of their size, applications grow steadily at a rate of approximately 40% per year in their first five years. However, the rate of new flaw introduction follows a different pattern. When a new application is onboarded, the number of flaws experiences a steep decline, most likely because the initial scan uncovers previously accumulated flaws. This marks the “honeymoon phase” that lasts for about a year and a half, during which nearly 80% of applications introduce no new flaws. However, once the honeymoon phase ends, the introduction of flaws steadily increases until it plateaus around the fifth year.
The most common flaws varied depending on the type of scan conducted. Static, dynamic, and software composition analyses each utilize different techniques and detect different issues. While some flaws were common across all three types of scans, the differences highlight the importance of employing multiple scan types.
The frequency of scans also has a significant impact on the probability and number of new flaws. The research found a noticeable reduction in both when scans were performed the previous month. Additionally, automating the scanning process using application programming interfaces (APIs) proved beneficial in minimizing the probability and count of flaws.
To move towards more secure applications, it is essential to address flaws as early and swiftly as possible. As applications age, they tend to accumulate more flaws, indicating that something changes either within the application itself or among the development teams. Whether it is due to increasing complexity or a diminishing focus on production applications, the upward trend in flaw accumulation becomes evident over time.
Another vital aspect is prioritizing automation and developer training. Educating developers about the most common flaws and how they are introduced can significantly reduce their occurrence. The research demonstrated that developers who completed ten hands-on security training courses showed a 12% reduction in the number of flaws introduced.
Lastly, companies must establish application lifecycle management. Identifying who owns an application is critical for ensuring its security. However, it is unrealistic to attempt to create a comprehensive list from the outset as it would be an endless endeavor. Instead, it is more effective to start with the necessary information for a few applications and progressively build the list from there.
Maintaining an application involves not only determining its need but also deciding its lifespan in production. Given the increase in flaws over time, it is crucial to pay attention to the application’s security in later years.
In the current security climate, software security is of utmost importance. With the National Cybersecurity Strategy planning to enforce actions more rigorously, software vendors have an additional incentive to reduce the security debt in their applications. Understanding how flaws are introduced and remediating them effectively can ensure the security and longevity of software products.
To meet the changing landscape, software security requires rigor at every stage of the modern software development life cycle. As responsibility shifts towards companies, they must rise to the occasion and prioritize the security of their software products.