Seeking the Root Causes of Cyber Insecurity, Part IV: Design and Development Processes

Fourth in a series of articles about the underlying factors that affect security posture

This is the fourth and final article in a series that explores the root causes of cyber vulnerability. It’s based on an a survey that asked experts whether they thought security problems were inadvertently designed into technology products. Eighty-two percent of respondents rated inherent security problems as either a major or extremely serious factor affecting security. This article shares their insights into the ways that design and development processes contribute to innate security problems in digital technology.

Device Design Shortcuts

The experts we surveyed felt that technology design processes tended to undervalue security.  Michael Covington of Wandera offered an example in the mobile app category. He said, “Most mobile apps, for example, must have connectivity to the Internet in order to function; there are services on the network that ‘power’ the apps and make them useful. Unfortunately, mobile apps also have the ability to harvest information locally on the device and connect to network resources to exfiltrate stolen information. The openness of the mobile ecosystem favors easy development and quick time-to-market over security.”

“The openness of the mobile ecosystem favors easy development and quick time-to-market over security.”  – Michael Covington of Wandera 

Ilan Barda of Radiflow shared the observation that “in the industrial world, most devices were not designed with built-in security, as they were not destined for connected applications. For example, many industrial controllers use unsecure protocols for downloading new firmware and performing logic changes.” Aaron Turner of HighSide also found mobile design processes lacking. He faulted “Android OEM’s inability to plan for long-term mobile device support and IoT device manufacturers’ design decisions to avoid security quality assurance milestones in product design and manufacturing.”

 “Devices and networks are designed with minimal embedded security, leaving the network and everything connected vulnerable to attacks.” – Danielle Annis of SAM Seamless Network

Danielle Annis of SAM Seamless Network similarly felt that “devices and networks are designed with minimal embedded security, leaving the network and everything connected vulnerable to attacks.” Doug Britton, RunSafe Security added further texture to the issue, noting, “An innate security defect in modern electronics and associated applications is memory misconfiguration and pointer mismanagement in compiled code (C/C++) that has metastasized across operating systems, open source, and bespoke code. These errors are too numerous to count, too complex to affirmatively find, and too expensive and time consuming to edit out.”

“Cybersecurity is often treated as a secondary function that is far removed from the processes to design, develop, and deliver technology,” said Brinqa’s Syed Abdur. He added, “The DevSecOps trend to ‘shift-left’ is a direct response to, and an indicator of the growing understanding of, this fact. The most effective way to combat vulnerabilities is to ensure that cybersecurity is integrated early and treated as an essential aspect of developing and delivering technology products and services.”

According to John Peterson of Ericom Softtware, “The root cause of the majority of vulnerabilities is because software developers are more concerned about the functionality of the application vs. the security of the application.”

The Software Development Process

The software development process is also not well-suited to security, according to many industry experts.  According to John Peterson of Ericom Softtware, “The root cause of the majority of vulnerabilities is because software developers are more concerned about the functionality of the application vs. the security of the application. Software application companies need to implement policy and procedure into developing secure code. The root cause is a human being writing code. Many times, web applications have very poor data input validity checking. For example, a form on a website where users input a username, address, phone number, etc. may allow the user to paste in HTML code vs. a name, address or phone number. This can lead to the web site presenting code to other users to infect them, e.g. cross site scripting, drive by downloads, etc.”

Other notable comments from the survey included:

• “Application and API security vulnerabilities have and will continue to be the primary attack vector for data breach that scale into the millions of records lost by businesses and governments.” – Doug Dooley, Data Theorem

• “Software engineers are under pressure to deliver releases and new functionality really fast. Security always gets overlooked. It’s functionality first, then scalability and security is last.” Isabelle Dumont, Cowbell Cyber

• “Lack of developer training on secure development.” – Mounir Hahad, Juniper Networks

• “Using libraries that are known to be vulnerable in the application.” – Ken Underhill, Cybrary

• “Lack of oversight in the process of creating new products and services.” – Fausto Oliveira, Acceptto

“Technology development is still more art than science,” said Aaron Turner. “As such, the software artists who create the code that keeps devices running often don’t take a methodical approach to assuring the security quality of their software before deploying it. Hardware manufacturers are even worse because at least with software there is some potential for profit margin to pay for quality assurance. In the hardware market, the margins are so thin, no one is really motivated to do any sort of system-level QA.”

For Cequence Security’s Jason Kent, “Most of the vulnerabilities that have exploits today are exploits on a code flaw or validation routine that didn’t consider a use/abuse case.

For Cequence Security’s Jason Kent, “Most of the vulnerabilities that have exploits today are exploits on a code flaw or validation routine that didn’t consider a use/abuse case. The latest flaw allowing SUDO users to be Root is an example of this. They weren’t expecting a huge amount of user input and the flaw is exploited.” Sara H. Jodka, a cybersecurity attorney at Dickinson Wright shared a related insight, noting, “Malicious code can be written into thousands of pages of other code and divert credit card information and other information without anyone in the company’s IT department finding out about it for months.”

“Humans are part of most complex IT systems and cannot be patched,” said Greg Conti of IronNet

“Humans are part of most complex IT systems and cannot be patched,” said Greg Conti of IronNet, offering a bigger picture perspective. He added, “The root causes of security spring from all but irresolvable contradictions and dilemmas. We are making progress, but we must continue to chip away at the root causes. There is a long and challenging road ahead of us.”