With software security, we’re outgunned

The good guys aren’t winning.
In the battle to keep our software safe, we are outgunned. To take a minor example: We set up a captcha system to filter out garbage comments on sdtimes.com stories and blog posts. It didn’t take long for hackers to find a way around it – and now our system is inundated with faux comments with links to term-paper writing services, loan sharks, pharmaceuticals and more.
The garbage comments are an annoyance, but we filter them out manually. No harm is done. Much worse are the persistent attacks by hackers – some so-called hacktivists, some independent troublemakers, some part of organized crime, and some potentially working for foreign governments.
A story in the March 30 edition of the Wall Street Journal reports, “Global Payments Inc., which processes credit cards and debit cards for banks and merchants, has been hit by a security breach that has put some 50,000 cardholders at risk, according to people with knowledge of the situation.”
“We are investigating a potential data breach & as a result, have alerted payment card issuers regarding accounts that may be at risk,” @MasterCard tweeted out, adding, “It is important to note, that MasterCard’s own systems have not been compromised in any manner.”
While we wait to see what happens, by coincidence the New York Times ran a story on the same day entitled “Case Based in China Puts a Face on Persistent Hacking.” Read the story, it’s a good one.
Let’s not kid ourselves: We are all vulnerable. Even the slightest flaw in our application design, operating systems, hardware or network security creates an opportunity for data theft, digital graffiti, the insertion of malware or backdoors, or worse.
The challenges are many. One is that our systems are complex, and the integration points are weak spots that can be exploited. Another is that our programmers are not sufficiently trained in secure coding techniques. Still another is that our security testing tools and techniques are always a step behind the bad guys.
And despite all of our end-user educational efforts, social engineering works. People click on links they shouldn’t click, visit websites they shouldn’t visit, and open documents they shouldn’t open.
The biggest problem, though, is that we are simply outgunned. Most corporate security teams generally are small and work in isolation. Their budgets are limited. Companies do not, for obvious reasons, talk openly about how they do security design and testing, and rarely collaborate with others in their industry.
The enemy, on the other hand, has a huge army of volunteers. Some are highly trained software engineers, others simply script kiddies with an attitude, some college students. That doesn’t count, of course, the botnets that carry out many of these attacks. Hackers share data with each other, and in some cases are well-financed by untouchable outside organizations.
Whether the hackers are targeting specific companies, or simply spraying out their attacks randomly across the Internet, they are winning.
Z Trek Copyright (c) Alan Zeichick