Security is important for our software, mostly to protect the data in systems, but also for other reasons. This week I noticed a few items that were worrisome for me, though not unexpected. At this point, I assume most systems have vulnerabilities and that it's just a matter of time before they're compromised. I've gotten to the point where I just create a new password for every system and assume that a breach will occur at some point. I mostly depend on haveibeenpwned to let me know I need to check an application since I don't have a better system. Certainly I can't hope that companies will let me know they've lost data.
This week a few items concerned me. The first was a vulnerability discovered in Amazon Key. I'm sure Amazon hires good developers and has lots of evaluation for their software to avoid security issues. My guess is they do a better job than most of us because they can afford to have people try to break into systems. The problem comes when we have developers that creatively solve issues and mostly worry about the happy path for their application. Most of us that build software to solve a problem aren't anywhere near devious enough to understand how someone might attack our hardware. While I won't use Amazon Key, plenty of others will and every breach is a blight on all of us as software developers.
Perhaps more disconcerting to me is a potential issue in Boeing planes. I fly a fair amount, and the idea that someone could successfully get into a plane's network is very worriesome. I'm sure Boeing is worried (and Airbus, etc) about this. I bet they spend a lot of time not only writing and testing software, but having other companies and governments go through their efforts. Certainly there's a large effort here if a one line change really costs them $1mm. However, I'm sure there are still some vulnerable sections of software. How could there not be? Despite what Boeing says, I'd prefer their software was open, or at least available, to security researchers.
There is a rush to get software into production. DevOps helps us do that at a more rapid pace, which I like. However, what I don't like is that many companies don't increase their effort in their process (DevOps or otherwise) to improve security. They aren't finding ways to increase the stress on their systems, add additional checks, incorporate feedback to correct previously released issues. Some do, but most don't. What's worse, most aren't maing security (Rugged DevOps), a part of their development process.
Bruce Schneier has called for regulation of IoT devices. Most people resist any sort of regulatory approach, but I'm not sure this is a bad idea. Not specifics, but perhaps some good guidelines will help. GDPR in the EU takes effect next year, and this is the first legislation with real penalties that might force the average company to start to take security more seriously. I'm sure plenty of solicitors and lawyers are looking for ways to argue against penalties, but since so many of the data breaches are simple items that should never have occurred, I'm hoping some harsh penalties will get organizational management to not only press for features to get done, but require secure coding and strong infrastructure controls to be implemented.
None of this helps against phishing, which is on the rise. As we better secure systems, I expect phishing to increase in size, scale, scope, and complexity. I think some of the efforts to lock down websites, block traffic, and require better security for email and website traffic will help. They make life difficult for many small companies, but I would hope that we find ways to ease the ways in which companies can build a system to reach users in a secure fashion. We are becoming too dependent on our systems to not make more effort to secure them. Hopefully the management in our organizations will start to believe this at some point.