Software Development Standards Need to Be Addressed

By Guest Blogger, Chris Bonatti, Consultant, IECA – Casper Wyoming

Forward by CyberWyoming: Operations and Maintenance, including patching, makes up over half the unfilled jobs in the cybersecurity industry, according to cyberseek.org.  Total job openings include 464,420 and operation and maintenance are counted as 283,151.  A large part of the industry’s expenses are spent on guarding against software defects. www.cyberseek.org

Business Outranks Security

The largest-scale force acting against security is that the economics of the software business act against security in a rather fundamental way. Software is an expensive business, and we probably don’t need to explain the dynamics of managing to the bottom line. Businesses are naturally frugal. They want to wring every penny out of software they invest in, or in developing software products. It’s never easy to persuade any business that they should invest in re-writes or proactive bug hunts in a product that’s already been fielded.

Security is also expensive, and it’s a technical field that has had considerable conflict with the software field. Software development has been refining itself for more than half a century, focusing on developing faster, cheaper, and more incrementally. Contrast the evolution from the traditional “Waterfall” model of a software project to the modern “Agile” development model–where the plan is to develop in cycles or spirals, and the mantra is Plan | Run | Evaluate | Improve. Agile development can be an excellent model for achieving success, particularly where the requirements or the best application of technology aren’t known from the outset. In contrast though, security is all about getting the details right, and the basic requirement is to be secure every time from the first transaction. Security is frequently viewed by software developers as an impediment; slowing their rapid cyclic development cycles… which costs money and reflects badly on their performance metrics. Marketing executives and senior management (who are frequently non-technical) prioritize low-cost and quick-sales over security. After all, security doesn’t seem to produce anything… and is only even noticed when it fails. This is the economic reality we live under: Security usually loses when it conflicts with business priorities.

A good example can be seen in Microsoft’s handing of this summer’s months-long, multi-vulnerability, print spooler disaster. In their own analysis for the CERT of a recent flaw in the Windows Print Spooler (CVE-2021-34527), (continued on page 2) 1 (continued from page 1) Microsoft itself described the behavior of the printer driver installation subsystem, PointAndPrint, as “vulnerable by design”. Yet their 6 July patch (KB5005010) declined to actually fix the underlying problem, but merely provided a better “OFF switch” (via a registry key) to prevent the flaw from being used for privilege escalation. Rather than fix the core problem, which might inconvenience some of their users who are accustomed to the vulnerable behavior, Microsoft will let a remote code execution (RCE) flaw remain… so long as it doesn’t deliver root privilege. What? There aren’t already enough privilege elevation bugs to alarm them?! Yet does Microsoft lose any customers or revenue from such fiascoes? The evidence says no. Rather than hemorrhaging users, Windows (all versions) enjoy an estimated market share of 87% that has held steady for years. The message is clear. Microsoft’s customers are comfortable with Windows and don’t care too much about security. From their treatment of flaws, Microsoft is fully aware of this.

Stay tuned for part 2.

Share:

Register to Receive the Tech Joke of the Week!

This Week's Joke:

How many programmers does it take to change a light bulb?

None, it is a hardware problem!

More Posts: