
A Bold Step Forward to Incentivize Software Providers to Build More Secure Solutions
One of the boldest proposals of the new National Cybersecurity Strategy by the Biden Administration is to “Shape Market Forces to Drive Security and Resiliency,”including an objective to develop new legislation that shifts liability from end-users onto the entities that produce insecure software products and services.
Since our research team at Onapsis has discovered and helped mitigate more than 1,000 zero-day vulnerabilities in business-critical application software over the last decade, we have a unique perspective on initiatives like this one. Understanding historical and the current state of cybersecurity in widely-used commercial software, our team can offer insight around the pros and cons of this strategic objective.
We know first-hand through our threat research experience that many leading enterprise software providers have made significant investments to enhance their secure development processes and capabilities in the last decade. This has resulted in the release of new solutions that are more secure by design, and have stronger security configurations by default. When performing advanced vulnerability analysis on these new products, we have empirically seen how many of the ‘low-hanging fruit’ vulnerabilities that were successful in prior versions have been controlled, or mitigated, in newer releases. This is a clear indication that many software providers are improving in the right direction.
However, the number of new vulnerabilities continuously discovered and exploited by threat actors cannot be ignored and it is a clear proof point that we are not any closer to solving this problem. Further, the data also supports the Administration’s claim that historical and current market forces have proven to be inefficient in changing this reality. It is often the case that realized financial losses from breaches and security flaws in products are immaterial for the software provider, but can be catastrophic and pervasive for the users of the vulnerable product or service.
As we think about ERP and business applications in particular, this challenge is drastically exacerbated because these software applications serve as the essential digital core for the world’s largest businesses and organizations in critical infrastructure sectors such as energy and utilities, manufacturing, and pharmaceutical, supporting their most critical processes and information. In these scenarios, the security of a software solution is not only relevant for users or organizations individually—given the specialized nature of these software products, there is a high degree of concentration in users relying on the same (or same few) commercial software products for mission-critical use cases.This has the potential to create systemic risk at the national and global level if malicious threat actors discover and exploit vulnerabilities in them.
In the perpetual cat-and-mouse game between defenders and threat actors, how do we– defenders–win? I agree with several experts that shared that it will be very challenging to ensure any legislation is adaptable enough to capture this dynamic holistically without stifling innovation. However, what is the alternative? The software and cybersecurity industry as a whole must acknowledge that commercial software security will not get better unless we radically change our approach and re-align incentives. Our industry has tried many things before, from consortiums, to researchers releasing unpatched zero-day vulnerabilities at conferences, to software vendors putting public pressure on each other to patch faster.
Unfortunately, these attempts have clearly not solved the root cause of the problem: higher stakes for companies to ensure their software is secure. Prior to this new strategy, there hasn’t been enough upside for most software producers to proactively invest and build capabilities at the required levels to solve this problem, and the downside of not doing so is immaterial to their bottom lines.
We depend too much on commercial software as a society to continue hoping that things will magically improve. As the old saying goes: hope is not a strategy.
Raising the bar and expectations of due care, while effectively rewarding and shielding from liability the vendors that are effectively doing so, is a welcomed step to discuss how we can re-align the incentives in the software ecosystem and build a more secure future for all of us. At Onapsis, we plan to continue being active participants in this strategy as it moves forward to implementation, making our contribution in creating that better future.
Source: Onapsis-Blog
Fachartikel

ChatGPT bei der Arbeit nutzen? Nicht immer eine gute Idee

Das Aktualisieren von Software-Agenten als wichtige Praktik der Cyberhygiene auf MSP-Seite

Kosteneinsparungen und Optimierung der Cloud-Ressourcen in AWS

CVE-2023-23397: Der Benachrichtigungston, den Sie nicht hören wollen

Wie sich kleine und mittlere Unternehmen proaktiv gegen Ransomware-Angriffe wappnen
Studien

Studie zeigt 193 Millionen Malware-Angriffe auf Mobilgeräte von Verbrauchern im EMEA-Raum

2023 State of the Cloud Report

Trotz angespannter Wirtschaftslage: die Security-Budgets steigen, doch der IT-Fachkräftemangel bleibt größte Hürde bei Erreichung von Security-Zielen

BSI-Studie: Viele Software-Produkte für Onlineshops sind unsicher

Wie Cloud-Technologie die Versicherungsbranche revolutioniert
Whitepaper

Arctic Wolf Labs Threat Report: Deutlicher Anstieg der erfolgreichen Fälle von Business-E-Mail-Compromise

Aufkommende Trends in der externen Cyberabwehr

Cyber-Sicherheit für das Management – Handbuch erhöht Sicherheitsniveau von Unternehmen

Aktueller Datenschutzbericht: Risiko XXL am Horizont

Vertrauen in die Lieferkette durch Cyber-Resilienz aufbauen
Unter4Ohren

Optimierung der Cloud-Ressourcen und Kosteneinsparungen in AWS

DDoS – der stille Killer

Continuous Adaptive Trust – mehr Sicherheit und gleichzeitig weniger mühsame Interaktionen

Datenschutz und -kontrolle in jeder beliebigen Cloud bei gleichzeitiger Kostensenkung, Reduzierung der Komplexität, Verbesserung der Datenverfügbarkeit und Ausfallsicherheit
