“Software has eaten the world,” said Marc Andreessen, founder of Netscape, in a 2011 Wall Street Journal article. It’s a bold statement and an apt description of where our world is going. Everything we do today – from streaming movies on Netflix to buying products on Amazon – is moving from a brick-and-mortar environment to one that is almost entirely electronic.
Software exists for nearly everything we do, making our day-to-day lives more convenient and efficient. But there’s a downside to this proliferation of software programs: they are not being built with security in mind, creating more avenues for bad actors to get into our networks and making software vulnerabilities one of the biggest challenges in data security.
But this isn’t a new issue. Thirty to forty years ago, the internet developed so rapidly that it spun out of control; it was allowed to grow like a multiheaded Hydra before people started to talk about the cybersecurity implications of it. We need to prevent a similar problem from occurring during this time of explosive innovation in cloud, mobility and IoE(verything). We need layers of security and other cultural and technological developments to keep government data up-to-date and secure.
A Multipronged Approach: Education, Identity Management & Remediation
Protecting networks and data is a top priority for all U.S. government agencies and requires a multipronged approach. We need to put every security tool toward it that we can, from every angle, to keep cyberattacks at bay. Perhaps the best place to start is before systems are even conceived, in the form of education. That means going back to higher education institutions and ensuring that security is a part of the core curriculum. Today, it takes three to six months in any large software development organization to onboard a recent graduate and teach them how to build software securely. With the proper training, however, students who come out of software engineering disciplines should be able to hit the ground running when they join a contractor’s development team.
Identity, Access Management and Patching
Once software is released and available to consumers, agencies should remain on guard by practicing basic blocking and tackling; identity management is one of those basics. We should always know, for example, who’s logging onto a system and what they have access to. Patching is another key part of this equation. One might think that filling gaps and holes in software would be relatively easy for agencies to do, considering our home computers generally have automatic patching; but in fact, today’s government systems are woefully under-patched, basically providing superhighways for adversaries to get into our networks and cause havoc.
Remediation Technologies: Find, Fix & Fortify
In addition to identity management and education, there’s a third very promising way to protect against the vulnerabilities that software programs may inadvertently create. Technologies are available today that can scan the organization’s software, find weaknesses, advise on how to fix them and then prevent them from being introduced in the future. We call it “find, fix and fortify,” and it works almost like a spell checker on premise, or if your organization lacks software security skills, outsourced to our cloud solution.
The Department of Defense is a great example of how remediation technologies can manage security vulnerabilities originating in software. Way back in 2010-2011, the DoD and Capitol Hill met to discuss the supply-chain risk-management theory that weak software was leading to break-ins at DoD. The department asked for assistance and in return, Capitol Hill in 2014 passed the National Defense Authorization Act (NDAA) section 937 on securing software that led to the creation of the Joint Federated Assurance Center concept. This initiative enables the DoD to check all hardware and software coming into their environment; to review it for risks associated with vulnerabilities in that software or hardware; and to be able to remediate those risks before they actually get put into production.
Historically, not all agencies have been able to afford prioritizing security the way DoD does through the NDAA. The good news is that we are at a point today where we’ve taken the best minds in software security and put their ideas into a black box for organizations to use. In that box are the components to create a strong system of software security assurance with multiple layers and best practices. Now, by adding remediation technologies to that black box, organizations – even those with limited software-security expertise – have access to affordable solutions to use in their own environments to find, fix and fortify critical systems.