A Bold Step Forward to Incentivize Software Providers to Build More Secure Solutions
One of the boldest proposals of the new National Cybersecurity Strategy by the Biden Administration is to “Shape Market Forces to Drive Security and Resiliency,”including an objective to develop new legislation that shifts liability from end-users onto the entities that produce insecure software products and services.
Since our research team at Onapsis has discovered and helped mitigate more than 1,000 zero-day vulnerabilities in business-critical application software over the last decade, we have a unique perspective on initiatives like this one. Understanding historical and the current state of cybersecurity in widely-used commercial software, our team can offer insight around the pros and cons of this strategic objective.
We know first-hand through our threat research experience that many leading enterprise software providers have made significant investments to enhance their secure development processes and capabilities in the last decade. This has resulted in the release of new solutions that are more secure by design, and have stronger security configurations by default. When performing advanced vulnerability analysis on these new products, we have empirically seen how many of the ‘low-hanging fruit’ vulnerabilities that were successful in prior versions have been controlled, or mitigated, in newer releases. This is a clear indication that many software providers are improving in the right direction.
However, the number of new vulnerabilities continuously discovered and exploited by threat actors cannot be ignored and it is a clear proof point that we are not any closer to solving this problem. Further, the data also supports the Administration's claim that historical and current market forces have proven to be inefficient in changing this reality. It is often the case that realized financial losses from breaches and security flaws in products are immaterial for the software provider, but can be catastrophic and pervasive for the users of the vulnerable product or service.
As we think about ERP and business applications in particular, this challenge is drastically exacerbated because these software applications serve as the essential digital core for the world’s largest businesses and organizations in critical infrastructure sectors such as energy and utilities, manufacturing, and pharmaceutical, supporting their most critical processes and information. In these scenarios, the security of a software solution is not only relevant for users or organizations individually—given the specialized nature of these software products, there is a high degree of concentration in users relying on the same (or same few) commercial software products for mission-critical use cases.This has the potential to create systemic risk at the national and global level if malicious threat actors discover and exploit vulnerabilities in them.
In the perpetual cat-and-mouse game between defenders and threat actors, how do we– defenders–win? I agree with several experts that shared that it will be very challenging to ensure any legislation is adaptable enough to capture this dynamic holistically without stifling innovation. However, what is the alternative? The software and cybersecurity industry as a whole must acknowledge that commercial software security will not get better unless we radically change our approach and re-align incentives. Our industry has tried many things before, from consortiums, to researchers releasing unpatched zero-day vulnerabilities at conferences, to software vendors putting public pressure on each other to patch faster.
Unfortunately, these attempts have clearly not solved the root cause of the problem: higher stakes for companies to ensure their software is secure. Prior to this new strategy, there hasn’t been enough upside for most software producers to proactively invest and build capabilities at the required levels to solve this problem, and the downside of not doing so is immaterial to their bottom lines.
We depend too much on commercial software as a society to continue hoping that things will magically improve. As the old saying goes: hope is not a strategy.
Raising the bar and expectations of due care, while effectively rewarding and shielding from liability the vendors that are effectively doing so, is a welcomed step to discuss how we can re-align the incentives in the software ecosystem and build a more secure future for all of us. At Onapsis, we plan to continue being active participants in this strategy as it moves forward to implementation, making our contribution in creating that better future.