It's Not Just Your Data At Risk - Unsafe Practices Endanger National Security
Imagine a squadron of Navy pilots flying a mission to provide aid to allies in a war zone. The route has been carefully planned to keep them away from combat zones and out of the line of enemy fire. Unbeknown to the squadron members, however, their navigational system has been infiltrated, and instead of directing them to their allies in need, it leads them behind enemy lines, where they risk being shot down or captured.
Although the above example is an extreme case, our U.S. servicemen and women put their lives on the line every day. But they don’t do it alone—a vast infrastructure stands behind them, supporting them. This includes not only government workers but private contractors and subcontractors who supply the Department of Defense (DoD) with the equipment, goods, and services these dedicated personnel need to do their jobs. Each of these contractors and subcontractors in turn rely on their own providers of products and services, and some of the most critical of these are software vendors.
Software Is Everywhere—and Vulnerabilities Proliferate
In today’s environment, software underlies everything, including everything used by U.S. military personnel. Whether it’s a plane, a motor vehicle, a weapon, a navigation or communication device, or some type of logistics support—if the software behind it has a glitch, it puts its user in danger. And if that glitch is due not merely to error but to malicious hacking, the danger expands and multiplies.
Software, therefore, is a critical industry, and software security is paramount. Historically, however, software vendors haven’t been held accountable for unsafe development practices, and their customers are left to patch defects in their production systems—if the defects are caught.
The Cybersecurity and Infrastructure Security Agency (CISA) is working to change that. Last year they released their Secure by Design principles, which aim to help software developers eliminate several major classes of defects, coding errors, and vulnerabilities from their products. Some examples of vulnerabilities due to flawed coding practices include the following:
- Cross Site Scripting (XSS): A security flaw that lets attackers insert harmful scripts into web pages viewed by other users, potentially stealing information or manipulating the page.
- SQL Injection: A technique where attackers enter malicious code into a website's form fields to trick the database into revealing or manipulating its data.
- Directory Traversal: An attack that allows hackers to access restricted directories and files on a web server by manipulating the file path.
- Memory Unsafe Languages: Programming languages that do not automatically manage memory allocation and safety, making them more prone to bugs and security vulnerabilities like buffer overflows.
CISA hopes to spot patterns that can help industry eliminate each type of defect. “What’s especially noteworthy is that for most of these classes of defect, we have known of ways to prevent them at scale for years, and even decades,” CISA Senior Technical Advisors Bob Lord and Jack Cable, and Senior Advisor Lauren Zabierek said in a recent blog post. CISA’s goal is for the technology industry to take responsibility for the security of its products, rather than pushing that burden onto their customers, many of which are smaller businesses with fewer resources for detecting and fixing problems. CISA wants vendors to build security into their products and practices as a matter of course. “It is the norm in other industries to perform root-cause analysis and to work towards eliminating classes of defect,” the CISA advisors said. “It is long past time for it to be the norm in the software industry.”
The problem is that such a shift requires a change of mindset and culture, which needs to be led from the top down. Also, since CISA doesn’t have the teeth to enforce compliance, the industry hasn’t progressed as far as they would like. Still, they have worked closely with industry leaders and have made some progress in encouraging the adoption of their policies. So far, more than sixty vendors have signed on to CISA’s Secure By Design pledge to stop using unsafe practices, and many software companies have eliminated the majority of common errors.
An Integrated Process Is Still Key
Even with greater accountability on the part of their software vendors, DoD contractors and subcontractors can’t relax their cybersecurity vigilance. Secure software is only one piece of the puzzle. Compliance with NIST 800-171 standards and CMMC assessment mandates requires integrated business processes and best practices. CyberNINES offers numerous services to help ensure that all aspects of your business are compliant and assessment-ready.
Software security is paramount, but so are all aspects of cybersecurity. Our country’s data, critical systems, and the lives of our servicemen and women depend on it.
Sources:
https://www.cybersecuritydive.com/news/cisa-agencies-secure-by-design-principles/647548/