Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Election Day was just another chance to worry about security

J.F. Rice | Nov. 7, 2014
We’re surrounding ourselves with devices that rely on software, but their designers never seem to take security seriously.

desi accuvote
Electronic voting macines are just one of the products we're surrounded by that have had serious vulnerabilities. Credit: Joe Beone via Wikipedia, Creative Commons, CC-BY-2.5

At the moment I'm a bit of a security grouch. I keep seeing product after product that has significant vulnerabilities. And this isn't just happening with the things I deal with at work. Even Election Day had me grousing about the state of our software security.

At work, over the past several weeks I've been forced to deal with one serious vulnerability after another. First, it was Heartbleed. Next came Shellshock. That was quickly followed by the Poodle vulnerability.

Fortunately, fixing the Poodle vulnerability is not rocket science. We simply have to configure our Web servers to stop supporting SSL Version 3.0. I'm also taking the opportunity to upgrade our certificates while we're at it, to support a longer encryption key length and a better hashing algorithm.

I have never understood why companies don't bake better security into their products during development. Sure, the latest vulnerabilities have been more complicated than the simple buffer overflows and privilege escalation that have been common over the last several years, but I nonetheless think they could have been avoided with better programming practices. It amazes me how common it is to find software with code that doesn't follow even the most basic best practices, like input validation and bounds checking to prevent the overflows that lead to vulnerabilities. Why do we let companies get away with patching problems as they're found rather than avoiding them up front? It seems as if they start thinking about adding security only after their products have been hacked -- and then, only when it affects their market share.

Android is one example. I have written about the security flaws inherent on that platform and why I've banned it in my organization. But I had to follow that up with concerns about Apple's iOS.

The Nest thermostat is another example. At a security conference last spring, researchers demonstrated how a Nest thermostat could be compromised. Even though I don't have any Nest thermostats in my office, it still makes me wonder why its designers didn't build security into the product from day one.

Other devices may have similar security flaws just waiting to be exploited, forcing us to rush to update them. A recent study by Hewlett-Packard found that 70% of common consumer devices had significant security vulnerabilities. And more and more, we are surrounding ourselves by these devices. You have to worry when even our cars -- incredibly complex machines that we stake our lives on -- become increasingly dependent on software systems.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.