It’s common knowledge that software is eating the world, but I would argue that software complexity is, quite frankly, eating our lunch. No matter how talented your software engineers or brilliant the agile processes you put in place, we will never be able to create a truly perfect system. This is why we continue to see ransomware attacks carried out against major companies, including HBO, Sony and the recent breach of very sensitive consumer credit data in Equifax.
What technologists can do, however, is secure as much as we can as best as we can. When you look at how data breaches occur, hackers exploit known software vulnerabilities 44% of the time — these are vulnerabilities and weak points within software systems that are widely known and reported within developer and IT communities.
Why are we not fixing these known security vulnerabilities in mission-critical IT systems, as we saw in the case of Equifax?
There are several factors at play here: Developers lack the bandwidth to go remediate the countless vulnerabilities that are flagged in their systems daily, there is a need for better prioritization of these vulnerabilities regarding what has the biggest impact on consumer safety and, often, developers are not effectively held accountable for software quality. But perhaps most cumbersome is the fact that applications today are simply very complex systems. They are made of many layers of software that have been added over time by different teams, with each team not necessarily understanding the full application they have enhanced or the vulnerabilities that may be hidden deep within the source code layer. Add to that the increasing use of third-party components, open source or not, whose origins are sometimes unclear or unknown, and you get the picture. No team truly knows their application inside and out and no team can be held accountable for every component within the system.
As we continue to innovate, use new transformational technologies and build bigger businesses, software complexity will only compound. But there are some simple (and not so simple) processes that technology leaders can put in place to keep software complexity at bay.
Take Inventory Of Your Open-Source Software
While beginning the software development process with open-source software is a positive thing — it reduces re-work and speeds time to delivery — it’s important that your teams are checking these open-source components against known, published vulnerabilities before continuing the development process. It’s quite shocking the number of breaches that occur due to the exploitation of known vulnerabilities, and this is something that can be more easily avoided at the very beginning of the software development life cycle when the application is in its most simple form.