Dive Brief:
- Federal cyber authorities say it’s time for software vendors to “class up the joint” by eliminating entire classes of defects, coding errors and vulnerabilities from their products.
- Software defects are a recurring problem the Cybersecurity and Infrastructure Security Agency highlights when authorities determine vendors could have prevented attacks by fixing these errors from the outset.
- “What’s especially noteworthy is that for most of these classes of defect, we have known of ways to prevent them at scale for years, and even decades,” CISA Senior Technical Advisors Bob Lord and Jack Cable, and Senior Advisor Lauren Zabierek said Monday in a blog post.
Dive Insight:
The pressure CISA is putting on software vendors to fix these mistakes in the software development process is broad and consistent with the agency’s effort to shift the burden of security responsibility from customers to vendors.
But some cybersecurity experts expect the public pressure campaign to fall flat.
This back-and-forth dialogue between government officials and industry stakeholders on technical matters is an “endless loop” and ultimately unproductive, according to Allison Nixon, chief research officer at Unit 221B.
CISA unveiled secure-by-design principles in April 2023 and consistently shares its vision for how manufacturers should incorporate security into their products and practices.
The agency recently unveiled its secure-by-design pledge, which 68 vendors signed last week at the RSA Conference in San Francisco. The effort calls for software firms to stop using flawed coding such as cross-site scripting (XSS), SQL injection, directory traversal and memory-unsafe languages.
Yet, the problem persists and the lack of progress underscores CISA’s limited capability to change long-ingrained software development practices.
Most of these classes of defect continue to plague the industry, causing significant damage to companies and government agencies. By grouping them together CISA hopes to spot patterns that can help the industry move beyond addressing each defect, one at a time.
While some software companies have eliminated the most common classes of coding error, there is evidence the industry as a whole is not making sufficient progress, the advisors said.
To Nixon, meaningful change requires the resources, will and power to make the behavior pattern stop.
“If the government could poach people from industry, they wouldn’t waste everyone’s time writing lectures about bug categories that are old enough to drink,” Nixon said.
Instead of focusing on flawed code, the federal government would make a greater impact by undertaking measures to prevent lawyers interfering with cybersecurity work and punish companies that harm cybersecurity by trading long-term costs for short-term gain, according to Nixon.
“These are common, destructive patterns in corporate America that are the true root cause of unsafe software,” Nixon said.
CISA lacks regulatory power to compel companies to meet its recommendations. Instead, the agency is banking progress on widespread adoption of its secure-by-design initiative.
The program emphasizes the need to stop playing Whac-A-Mole with defects that appear on customer systems in production, CISA’s advisors said in the blog post.
“It is the norm in other industries to perform root-cause analysis and to work towards eliminating classes of defect,” the CISA advisors said in the blog post. “It is long past time for it to be the norm in the software industry.”