Software Security is in the Wild West (and it’s going to get us killed)

As a (semi-retired) ethical hacker, security professional and all-round computer geek, you might say I care a lot about technology. I care about how it was crafted, what it does and how it’s going to make some aspect of our lives better or more efficient. I look ‘under the hood’ of devices all the time, seeing some of the best (and worst) examples of code out there. Recently, I looked at how my air-con system could be controlled remotely with an Android app (imagine my surprise when I discovered that anyone on the WiFi network could control that thing without any authentication whatsoever).

Software security is always front-of-mind for me, as is the very real danger posed by our increasingly digital, personal information-sharing lifestyles. After all, we are in a largely unregulated, unsupervised and blissfully ignored territory. We’re in the Wild West.

As a collective society, we’re not looking under the hood of the technology we use every day. Although popular and highly acclaimed TV series like Mr. Robot help with general awareness, we’re not security-minded… in fact, most of us have no idea how secure the software is within the myriad of applications, services and increasingly connected things we purchase and use. It’s not even that we inherently trust them – we simply don’t think about them at all.

Sony PlayStation Network (PSN), Ticketmaster, Yahoo!, Facebook, Target: every single one of these widely-used companies has been a victim of a data breach. Their software vulnerabilities were exploited, and millions upon millions of customer records were exposed. These examples represent a fraction of the global breaches that have taken place in the last ten years. They are a costly consequence of poor software security that allows the bad guys to steal our precious information.

When most people consider data breaches, they think about information security breaches, They are understood to be a nightmare for the company breached and inconvenient for those whose personal details have been impacted, but seriously, what’s the big deal? If security continues to be ignored, are the consequences really that big? Nothing that major has happened so far – data breaches have severe impacts for the companies responsible for them, but it’s their problem, right? They lose business, they lose consumer trust; it’s ultimately their job to sort it out and pay for the damage.

Software security should be every organization’s priority.

There’s a fairly simple reason as to why software security isn’t the number one concern for every organization out there with a dev team: not enough people have lost their lives yet and there’s not enough knowledge about the risks.

Morbid? Perhaps. But it’s the honest truth. Regulation, build standards and law-changing attention is paid (like from, for example, government agencies) when there is a real human cost.

Take a bridge, for example. Civil engineers (a line of work that is hundreds of years old) consider safety as a core part of constructing a bridge. Their approach goes far beyond aesthetics and basic functionality. Every bridge built is expected to adhere to stringent safety regulations, with both the civil engineering profession and society as a whole learning over time to expect a high level of safety. A bridge today that does not meet the safety requirements is considered dangerous and unusable. This is still an evolution we need to get to within software engineering.