The Security Snooze Button
IT security pros must get involved in software development and help ensure that security is being represented at every stage.
I laughed at this statement, of course, because of all the times Ive read something just like it, but without any real indications that anyone actually had woken up. It's as though someone just keeps hitting the metaphorical snooze button and not just at the banks.
So that was exactly what went through my mind when I recently read some statistics from ISS that predicted wed see some 7,500 published software vulnerabilities this year, a 41% increase over last year. That old snooze button is seeming way too convenient.
|More Ken van Wyk Columns|
|The Rise of Patch Vigilantism
But then I thought about these numbers a bit more, and I think the answer isnt all that simple. Yeah, anyone who reads this column from time to time has probably heard me complain about how bad the general state of software security is these days. We clearly need to make some significant and fundamental changes there, but theres more to it than that.
For one thing, for a 41% increase in published software vulnerabilities to exist at all means there must be some big forces in play. Case in point: If the people who look for software vulnerabilities continue to do their work at more or less a status quo level, then thered have to be a corresponding 41% increase in the amount of software out there, right? Or, there are 41% more people looking for vulnerabilities. Or something in between. That stands to reason.
Assuming we didnt see an overall increase of 41% in the amount of deployed unique software out there in a single year, then it seems logical that somehow were looking for the weakness differently. More researchers out there looking for weaknesses, perhaps? But that explanation falls short in my view.
A far more realistic conclusion regards the shift in profit motive that weve seen in the past three (or so) years. Phishing, Trojan horses and other malware are like the great white sharks in the ocean, constantly looking for new as-yet undiscovered vulnerabilities to exploit. Their appetite for these nasties is endless. Indeed, it is their livelihood however ill-conceived and illegal at stake.