Security: Are Software Companies to Blame?

A former hacker spoke out in New York Times recently setting his sites on large software companies. “The unspoken truth is that for the most part, large software companies are not motivated to make software secure,” writes Marc Maiffret. He claims that many software companies prioritize developing more features and functions instead of focusing improving security.

Maiffret grew up hacking for fun. He penetrated corporate computer systems not to mention large governments around the world. At 17, he was arrested by FBI, thus ending his hacking career. Then Maiffret turned to his skills to security, starting a software security company. For over a decade, he’s been helping companies learn how to plug security holes.

He claims the focus of security investigations and discussions is usually related to users of software and not the software companies themselves. “When you read headlines about the latest cyberattack,” says Maiffret, “you typically do not hear about how attackers were able to put a virus or other malware on a system in the first place.” Attackers exploit software vulnerabilities. “A result is an open door to hackers inside some of the world’s most popular software systems.”

Securing software vulnerabilities is challenging, requiring companies to build multiple barriers to entry and keeping defenses current. Security must be a “central and significant investment” for software makers. But is possible to improve security.

Maiffret sites the dramatic changes in Microsoft over the past decade. Distraught with the increasing negative public perception of Microsoft for its software vulnerabilities, Bill Gates issued his “Trustworthy Computing” memo. He writes,

“Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work. If we don’t do this, people simply won’t be willing – or able – to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new level of Trustworthiness in computing.”

Gates memo prompted dramatic changes in the MIcrosoft software development process, leading to significant advances in security over the past few years. Maiffret uses this NYT Op Ed piece to throw down the gauntlet to other major software developers, challenging to follow MIcrosoft’s lead and become security leaders. He concludes,

“A lot of the talk around cybersecurity has centered on the role of government. But investing in software security and cooperating across the software industry shouldn’t take an act of Congress. It will, however, take a new mind-set on the part of developers. They should no longer see security as an add-on feature, nor should they regard holes in their competitors’ security efforts as merely a competitive advantage. As the world comes to depend more and more on their products, it should demand nothing less.”

[1] Marc Maiffret. Closing the Door on Hackers. New York Times, April 4, 2013 <http://www.nytimes.com/2013/04/05/opinion/closing-the-door-on-hackers.html?partner=rss&emc=rss&_r=0>