You can’t make your software perfect. But you can make it better — a lot better

We don’t live in a perfect world. So, no surprise, there is no such thing as perfect software or perfect software security.

But that doesn’t mean there’s no such thing as getting it closer to perfect. Most organizations can improve their software security — by a lot. That’s the message from several recent research projects, which note that the most important things organizations can do are the basics — things like keep track of their software and keep it up-to-date.

That’s important, because today every company is a software company, whether it builds its own software products, buys them, or pulls them for free from open source repositories. Software is behind whatever web presence a company uses to attract and interact with customers. Software runs its administrative, personnel, and financial functions, and it’s frequently embedded into production of products, and more.

Indeed, software runs everything in the digital world, which is why you may have heard that the Internet of Things has essentially become the Internet of Everything.

All of which means that risks from vulnerabilities in software mean business risks. But as researchers found, it doesn’t require super fancy, one-of-a-kind bells and whistles to mitigate most of those risks. It takes doing the basics.

Because a majority of cybercriminals don’t have the sophistication, expertise, and money of nation states. They’re looking for the easiest way into an organization.

Taking a page from the iconic Willie Sutton, who said he robbed banks “because that’s where the money is,” most cybercriminals use known vulnerabilities to break into organizations because that’s the easiest way.

According to researchers at the University of Trento in Italy, advanced persistent threat (APT) attackers “often reuse tools, malware, and vulnerabilities,” rather than seeking out so-called “zero-day” vulnerabilities — those that have not become public.

Failure to patch

They don’t have the money, time, or expertise for a “Mission Impossible” kind of attack. They’re interested in what’s already available, because they know that even if a vulnerability is public with a patch available, that doesn’t mean every organization has applied the patch.

That unfortunate reality is well-documented. The most recent Open Source Security and Risk Analysis report by Synopsys found that nearly 90% of organizations aren’t keeping their open source software up-to-date — and open source software is not only in virtually every existing codebase, it also makes up nearly 80% of those codebases.

Grant Robertson, security engineer with the Synopsys Software Integrity Group, said organizations put themselves at risk largely because “they don’t know what software they are running or the version. You can’t fix what you don’t know you’re using, all software decays over time, and vulnerabilities will be discovered.”

He added that the more common and critical that software is, “the more frequently vulnerabilities will be discovered and therefore patched.”

But of course, a patch is only effective if it’s applied, and in the case of open source software, patches aren’t “pushed” out to users. Users have to be aware that they need them, and then “pull” them from a repository to apply them.

“Staying up-to-date and using well-supported and maintained software is key,” Robertson said. “Obscurity in software only works until a critical failure or breach occurs, at which point the cost to replace or fix is often high.”

And a recent investigation by security firm Sophos into 144 attacks during 2021 found that “unpatched vulnerabilities were the entry point for close to 50% of the attackers.”

This is a largely avoidable problem. What makes for an easier “attack surface” for hackers ought to make it easier for defenders too. Fixing known software vulnerabilities is the digital equivalent of fixing a door or window that’s obviously broken or has a malfunctioning lock.

Not so obvious

It’s true that a vulnerable door or window is generally obvious, whereas vulnerable software is not so obvious. Most digital products — even simple applications — have dozens to hundreds of software components that can extend multiple levels deep. Tim Mackey, principal security strategist within the Synopsys Cybersecurity Research Center, has used the example of an app with eight “declared dependences,” which are software components that the app needs to run.

But among those eight is one that has 15 dependencies of its own. And one of those 15 has another 30. Mackey said by the time he gets several levels deep, there are 133 dependencies — for just one relatively simple app.

Also, within those 133 dependencies were “multiple instances of code that had explicit end-of-life statements associated with them,” he said, which means it was no longer going to be maintained or updated and any new vulnerabilities aren’t going to be fixed unless new volunteers show up to do so.

If organizations fail to keep track of the hundreds to thousands of components they’re using, they won’t know when those components have vulnerabilities, so they’re not likely to apply a patch even if it’s available.

That’s what cybercriminals are relying on.

Grasp the basics

Michael White, applications engineer with the Synopsys Software Integrity Group, said organizations should first set priorities. “Probably not on zero-days first if your basic security isn’t mature. Doing application security is harder if DevOps and general development practices are poor That’s why security and development teams must partner to improve application development and DevOps first, before they can even add security.”

Travis Biehn, technical strategist with the Synopsys Software Integrity Group, said patch agility is more important than worrying about zero-day vulnerabilities. “Along with an ability to patch, an ability to recognize and respond to successful attacks regardless of initial landing point is important,” he said. “Organizations can focus on ‘zero-day protection’ after they’ve got a good grasp on all the basics.”

There is good news for defenders amid all that complexity, however. Automated testing tools like software composition analysis (SCA) can help find open source components that would be next to impossible to find manually. A good SCA tool will help locate each component and also provide information on where it comes from, who built it, who is maintaining it (or not maintaining it), and any known vulnerabilities and potential licensing conflicts.

Another element of basic security is to acknowledge that so-called “perimeter defense” is essentially obsolete. Paul Ducklin, writing on the Sophos Naked Security blog, compared digital perimeters to “historic cities [that] still have city walls, but they’re now little more than tourist attractions that have been absorbed into modern city centers.”

“Today’s networks, especially in a world with much more remote working and ‘telepresence’ than three years ago, don’t really have a perimeter anymore,” he wrote.

Which means it’s time to adapt. Biehn, said that “a legacy, perimeter-first organization’s momentum is behind ‘more of the same’ — we’re talking generations of technology, people, policy, and incumbent executives. Unfortunately for these companies, a wake-up call often comes from a real incident.”

Zero trust = better security

The basic way to address that has been known for decades as “zero trust.” It assumes that everything and everybody is a perimeter that shouldn’t be automatically trusted. As the NIST Computer Security Resources Center put it in August 2020 with its SP 800–207, “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location [… or] on asset ownership (enterprise or personally owned).”

Or, as White put it, “with zero trust, ‘the network’ and ‘the perimeter’ are defunct anyway.”

Biehn has said in the past that while the zero-trust concept is no longer cutting-edge since “the AppSec industry has considered the network to be an ineffective control for decades,” he still thinks a zero-trust strategy at just about any level of maturity is “the lowest-effort, highest-return thing to pursue for any organization. It’s great.”

“In spite of our historic distrust of the network, it’s a new concept for old organizations all over the planet — government or not,” he said. “Getting all that software a modicum of protection against malicious network participants is a huge deal.”

Biehn added that another basic security measure — multifactor authentication on remote management interfaces “seriously hamper an attacker’s ability to quietly move through infrastructure.”

Bottom line: Stop making it easy for attackers. If you make it hard for them, they are likely to look for easier targets.