This article was originally written by Michael Burch but SD Times.
The software industry is no longer functional. Last year alone saw over 28,000 new CVEs published, a record rise that perfectly illustrates the ongoing patching crisis facing security and development teams, which are under constant pressure to patch vulnerabilities or risk exposure. In the last 12 months, software vulnerabilities led to over 50 percent of organizations suffering 8 or more breaches. The same survey found that only 11 percent believe that they patch effectively and in a timely manner. This dilemma is the result of a software industry that is far too comfortable releasing insecure applications to end-users. Software vendors have long prioritized speed to market, with security becoming an afterthought addressed through updates and patches, and we can no longer accept it.
Security leaders, regulators, and the industry itself must embrace a higher security standard, holding software vendors and developers to a higher standard of security from the outset, truly embracing secure by design principles, clearer disclosure and faster remediation of vulnerabilities, and more regular and rigorous security testing of applications, even after their release.
So, whose responsibility is it?
This crisis is perpetuated by the well-publicized security skills gap. In fact, 47 percent of organizations blame their challenges remediating vulnerabilities in production on a lack of qualified personnel – showing that even within the software development lifecycle (SDLC), there is an unfairly spread security burden. In large organizations, though, resources should not be an accepted explanation for poor security standards. End users with tight security budgets and smaller teams should never have to shoulder the security shortfalls of a solution that they’ve paid for and expected to be trustworthy.
But competing aggressively to acquire talent from the limited pool with security expertise is not the only solution: the shift left and shift everywhere movements have long emphasized the importance of security skills across the SLDC, even within development teams.
With many developers now turning to AI code to increase efficiency even further, it is critical that they are also equipped with the secure coding knowledge to thoroughly assess the output for security risks. Fostering the security skills of their developers is a critical way for large software vendors to reduce the number of vulnerabilities in production while showing a real commitment to improving the security of the applications they release.
Moving beyond ticking boxes
Developing a security-centric mindset within all software vendors will be crucial to overcoming today’s patching crisis. There is often a disconnect between security and development teams, with the goal of security often appearing to be at odds with competitive success. Driving a culture of shared responsibility would help establish accountability in all departments and stages of the SDLC, without penalizing organizations who prioritize security over speed to market.
Well-trained and knowledgeable development teams and project managers are the foundation of this change. The unfortunate reality is that many organizations don’t see security training for developers as a priority, with 68 percent only providing secure coding training for the purposes of compliance or in the event of an exploit. The urge to create code faster than ever often means that developers’ schedules cannot account for even small sessions of secure coding training, so organizations train only when they have to. Checking the box for compliance is easy but it doesn’t build a security-centric culture, opening the door for complacency, oversight, and poor retention from secure code training sessions when they do happen.
The industry as a whole is severely lacking in the prevalence, frequency, and quality of training. Software vendors need to understand that software security is a central concern for their customers, one that justifies continuous training and allots time for rigorous code reviews.
Proactivity is always the answer
Building a comprehensive and proactive approach to software security can help organizations mitigate security risks when software vendors fail. A concerning 55 percent of security leaders report that a misalignment between development, compliance, and security teams causes delays in patching. In giant tech corporations, this misalignment is heightened. By taking a proactive approach that assesses and responds to CVEs based on risk prioritization, organizations can realign their teams with clear patching protocols.
In a threat landscape where reactive methods are no longer sufficient, investing in education and detection is crucial. When developing in-house applications or configurations, developers should be capable of sniffing out any code that could potentially give threat actors a foothold into their networks. Although it is the responsibility of software vendors to release secure applications, many vulnerabilities arise from misconfigurations when software is uploaded onto a new or existing system. It is absolutely crucial that in-house developers have the proper education and skills to ensure that applications are configured and used as designed, scanning regularly for new vulnerabilities before a bad actor can exploit them.
The current patching crisis is the result of the rapid innovations that are happening in the industry today, and this is not an inherently bad thing. But as customers and regulators come to expect higher standards of software security, organizations can help themselves to meet the patching crisis head on by embracing “security by design” principles and proactive patch management strategies in their own internal teams.