There are new critical vulnerabilities every week that publishers and system administrators need to address. But where do all these vulnerabilities come from? Laurent Pétroque, online fraud expert at F5 Networks, answers. The flaws are here to stay because they result from the way of developing software that is not about to change.
A simple search of the National Vulnerability Database (NVD), the US vulnerability database, reveals that more than 3,300 new vulnerabilities have been released in the past three months. Many of them are rare and limited to certain specialized applications. However, almost every two months, a security breach affecting millions of users on a large scale is detected. The Heartbleed vulnerability had affected nearly half of Internet web servers.
Three natural causes of security breaches
Why so many vulnerabilities and at such a frequency? The reason is simple. Vulnerabilities can have three main causes: code quality, complexity, and too much reliance on input data.
The quality of the code is usually the first reason singled out. But why ? Is this sloppy programming? Not necessarily. This is most often a deliberate choice on the part of the development teams. These typically prioritize features that customers will pay for. However, outside of security professionals, most people are not prepared to spend on security.
However, some are quite willing to get their hands on the wallet, but more often than not it involves applications and systems that are not as useful or flexible as mainstream solutions. These are less secure products requiring additional budget for security.
The MVP creates the conditions for security breaches
Another factor influencing code quality is the concept of “Minimum Viable Product” or MVP, a strategy to design products that have just the right amount of features and value to appeal to customers. The other features are considered secondary and can be added later.
The slogan therefore comes down to: never build a castle when a simple tent is enough. The problem is, we end up living in a tent for years. We also know that correcting security programs a posteriori is a more expensive operation, which also delays the addition of security features in response to new customer (and market) demands. It is often only after a series of incidents that safety is prioritized.
Second concern: complexity. Most modern applications are so complex that they are beyond the comprehension of a single person. For the average user, all of this complexity is obscured by the user interface and the underlying infrastructure, but IT pros know what it is. The current version of the Firefox browser, for example, includes 16 million lines of code that were written by 5,094 developers over a 10-year period.
For more information about: f5 networks careers