Secure software creates new possibilities. Businesses that did not exist before the creation of new software are today allowing us to share cars, share homes, stream from home, work from home and arrange, same day home delivery.
Of course these new businesses require more code. How much more code? Today, there are millions of lines of code in just about everything that we use. And it's been estimated that there's more than 100 billion new lines of software code being added every year. That means there's also a potential for more than 100 billion new software vulnerabilities each year.
SOFTWARE IN THE REAL WORLD
What does our dependence on quality software look like in the real world? Today there's a greater interdependence among individual devices, and they all require software. So it's not just one device and one piece of software, but an ever increasing interconnection of individual software's.
For example, the Smart TV that entertains your family uses Internet connectivity software that is powered by the power grid software, which is supplied by the power plant software, which is fueled by trucks and train software. With all these interdependencies, it means the stakes are rising for software quality every day. It raises a very important question:. wWhat if just one piece of software fails?.
Failure is not something we often talk about. But given all the interdependencies it is important that we at least address software failure. Although software as an industry is over 50 years old, it still produces an unusually high rate of failure.
At one point, having your desktop computer crash was annoying. Today, the consequences of software failure are far reaching. They range from the inconvenient to in some cases, to the life threatening.
However, the reliability of software cannot be solely blamed on programmers. In general, even the best programmers will occasionally make mistakes. Rather, the process that surrounds these programmers is what needs to improve, namely the tools and processes that they use in developing secure software. And it is increasingly more critical that we focus on this problem today.
Why, If we don't identify the software vulnerabilities ourselves, someone else will.
Perhaps because of our interdependencies in software, adversaries have emerged to take advantage of new vulnerabilities.
Despite what you see in the movies, real life criminal hacking is not someone wearing a hoodie, sitting in a room full of monitors. In real life adversaries are typical developers who take atypical steps with a wider range of skill sets and motivations. These include:
- the casual attacker, who's just interested in the challenge or the thrill of the chase. Think of them as graffiti artists or common street punks, causing damage along the way.
- Hacktivist and political groups have another type of agenda. Often they're causing software failures through denial of service in order to make a point.
- Organized crime is in it for the money, often through the use of ransomware where they extort the victim into paying for the decryption of their own data.
- And finally, their nation state interests are either political or military, they can steal sensitive data through espionage or they can attempt to shut down hospitals and power grids to paralyze society.
One thing all of these adversaries have in common is that they find and exploit software vulnerabilities. Sometimes unknown vulnerabilities. The real enemies, then, are not the programmers, not even the adversaries, but the software bugs or vulnerabilities themselves.
Download: Fuzzing 101: Application Security
See how you can use fuzz testing to locate unknown vulnerabilities before your adversaries do.
Anatomy Of An Attack
Let's take a look at a typical adversarial attack. An adversary will most likely start by spending some time mapping everything that's running on your network. This attacker will want to know about every piece of equipment, and every piece of software running on that equipment. This includes all the interconnected, mobile phones, laptops, printers, and desktops, used for work, in addition to all the servers and cloud instances.
Basically, everywhere where there's a piece of software taking in some kind of input, either from a user or another system that is the place where an attacker could potentially find an exploitable flaw. If you sum up all of these pieces, that's the attack surface. And in our ever increasing interconnected world, our attack surface is getting infinitely larger.
For example, some organizations are tying ancillary things such as h vac systems into their organization's network. That's how the Target breach occurred. The attackers entered through a third party, HVAC system, and because their network wasn't properly segmented, the adversaries were able to get to the credit cards. So, If it runs software and, if it’s got vulnerabilities, it’s going to be an attractive target for any adversary. That’s why organizations need to secure their software before adversaries can attack.