The critical zero-day vulnerability in the Java logging library Apache Log4j enabled attackers to remotely execute code to gain access to devices and networks. And because the open-source software was embedded in a vast array of applications, services and enterprise software tools, it had the potential for widespread and long-term disruption.
No wonder director of US cybersecurity and infrastructure agency CISA Jen Easterly described the vulnerability as “one of the most serious that I’ve seen in my entire career, if not the most serious”.
Security patches were quickly developed and organisations quickly moved to apply them, although the ubiquitous nature of Log4j’s open-source code means there will be software and applications out there which won’t receive the update, especially if nobody realises Log4j was part of the development process.
Log4j is just one example of severe security vulnerabilities being uncovered in software that has been used for years – and it came 20 years on from when then-Microsoft boss Bill Gates issued his Trustworthy Computing memo, which urged Microsoft’s developers to produce more secure software after various bugs and security holes were uncovered in its operating systems and products.
“Eventually, our software should be so fundamentally secure that customers never even worry about it,” wrote Gates.
Two decades on, and while Microsoft Windows is generally regarded as a pretty secure operating system, when used correctly and security updates are applied, even Microsoft can’t escape critical vulnerabilities in the code. And more broadly there is still far too much insecure software around.
Software has always shipped with bugs, but software and services have become ever more important to our everyday lives, making the potential impact of security vulnerabilities even more damaging.
In many ways, software development hasn’t evolved to face this new reality: products are still rolled out, only for vulnerabilities – sometimes major ones – to be discovered much later. And when it involves a somewhat obscure component like Log4j, organisations might not even be certain if they’re affected or not.
“Inherently, the way in which we do software development just lends itself towards bugs and defects,” says Rob Juncker, CTO and head of software development teams at Code42, a software security company.
“The accelerated pace of work that we live in contradicts most security teams’ best practices”.
Cybersecurity wants to make software secure, a process that needs investment, personnel and time. That often flies in the face of what companies who build software require: they want to make sure the code is functional and to get it out there as soon as possible, especially if new products or features are depending on it.
SEE: A winning strategy for cybersecurity (ZDNet special report)
The state of security is massively uneven across the industry, with pretty good security at some of the top vendors, but the vast majority – even ones that are very well funded – lacking basic security investments, says Katie Moussouris, CEO of Luta Security.
“Unfortunately we’ve seen an under investment in cybersecurity over the last 20 to 30 years,” she says.
What companies need to do is ensure that cybersecurity is baked in from the very start and features as the building blocks of a software development program at every step of the way – that way all the risks and potential risks can be considered and acted upon before they become problems down the line.
“If you think about how software is made and deployed and maintained, it’s a whole supply chain. And it starts out with when you’re designing software or you’re thinking about new features,” says Jonathan Knudsen, senior security strategist at Synopsys, a software security firm.
“In the design phase, you have to be thinking about security, you have to do threat modelling or architectural risk assessments, so before you write any code you’re just thinking about how it’s going to work, and what it’s going to do – and how it could be attacked,” he added.
SEE: Cybersecurity: Let’s get tactical (ZDNet special report)
Bosses might be reluctant to spend the extra time and resources on ensuring code gets delivered securely, but in the long run, it should be the most effective approach, both in terms of cost and reputation.
It’s safer to ensure the code is secure before it’s pushed out, rather than having to deliver a critical update later on, which might not even be applied by users.
The problem is that many organisations are so used to a development model where speed is key, and the risks to them of producing poor code are seen as relatively low.
That could mean more hands-on intervention is needed in order to encourage secure code – and penalise those who wilfully ignore security issues.
“In other industries where we have such a critical dependence we regulated those industries, but software has remained largely unregulated, so there’s no software liability laws,” says Moussouris.
There has been some movement in this area: for example, the UK government has proposed legislation that will require Internet of Things device manufacturers to follow a set of software security rules before the products can be sold.
However, government moves at a slower pace than the industry and even if the rules are enforced, there’s already plenty of IoT software out there that wouldn’t meet the requirements.
But as organisations and individuals become more aware of cybersecurity issues, it could be the case that the market forces organisations to take software more seriously – leaving software developers who don’t think about security left behind.
“Globally we’re getting more aware about software security, and so I think this is going to translate into buyers asking tougher questions from their builders,” says Knudsen.
It’s, therefore, vital for software developers, their customers and even society as a whole, that software security is taken seriously. Perhaps ‘move fast and fix things’ could be a new motto for developers to aspire to.
MORE ON CYBERSECURITY
Hackers used this software flaw to steal credit card details from thousands of online retailersLog4j zero-day flaw: What you need to know and how to protect yourselfIn 2022, security will be priority number one for Linux and open-source developersCritical infrastructure security dubbed ‘abysmal’ by researchersEveryone is burned out. That’s becoming a security nightmare