Software Security Risks - Part 1

The present time is characterized by innovation as an element of the new economy. In software production, innovation is an important engine of growth. However, the need that new versions of software are rapidly replacing the old versions brings security concerns.


The software is an essential part of modern infrastructure. It is present everywhere, from mobile phones, home and business computers to cars and planes. All systems use some kind of software, it is a critical component of business, financial, hospital, industrial and national security systems. So much dependence on the software requires some indispensable software properties: quality, reliability and security.

The software production process of today doesn't result in such properties of software. Marketing advantage in the software market has to be achieved rapidly and it is achieved by rapid release of new versions of software and the rapid replacement of old versions of software with new. In this process there is not enough room for a thorough check of the quality or security - it is sufficient that the application works.

The new software comes on the market full of errors, so called "bugs". Weaknesses in the software are removed ”Back in August when asked on top quality slots for any more general article, the omission associated with a mention of LOTR has become noticeable. only when enough users are protesting in a way that software producers release so called “patches“. This cycle is repeated all the time: new software or new versions of old software are released, new weaknesses appear, new patches for vulnerabilities are released.

There are, however, such weaknesses in software which producers or users never discover. They are the source of potential income for malicious hackers who will use them to break into a system of interest or to sell information about the weaknesses in the black market of software vulnerabilities. ‘Weakness sale’ goes by the principle of auction - sold to the highest bidder - and there can be achieved very high costs per vulnerability, depending on the kind of weakness and the system in which it is located.

 

 

Suzana Stojaković – Čelustka, PhD is an expert in the field of information security. Some of her related duties were: CEO of CARNet CERT (Croatian Academic and Research Network Computer Emergency Response Team) in 1997., CEO of CARNet Department for security of computer networks in 1998., assistant for information security related jobs in Office for internetization of Croatian Government – 2002. - 2004., senior advisor for information security in Central State Office for e-Croatia, including development of National program of information security in the Republic of Croatia - 2004. – 2006., CISO (Chief Information Security Officer) in Croatian Bank for Reconstruction and Development (current position).

She is also a lecturer on information security topics at various occasions and editor at Croatian Information Security Portal. She received her BSEE and M.Sc. at Faculty of Electrotechnical Engineering, University of Zagreb, Croatia, and Ph.D at Faculty of Electrical Engineering, Czech Technical University of Prague, Czech Republic. Her Ph.D thesis was on Building Secure Information Systems. Her other interests include research in: computer architecture, distributed systems (networking), algorithmics, artificial intelligence and artificial life.

She is an active member of IFIP W.G. 9.6/11.7 (Working Group 9.6/11.7 - Information Technology Mis-Use and the Law, IFIP Technical Committee 9 - Relationship between Computers and Society) and IFIP W.G. 16.5 (Working Group 16.5 – Social and Ethical Issues in Entertainment Computing – IFIP Specialist Group on Entertainment Computing.)

Comments (3)
  • Rubina  - It's not always about the money

    I agree that there are many drivers that influnce the final outcome. However, many companies are willing to implement safeguards, but they just don't know how.

  • Suzana

    John, thank you for the insightful comment. The truth is that all three drivers count for software insecurity and some more. I agree that industry willingness to deploy secure software should also exist and that the cost is common driver in choosing software, but the point is that insecure software costs much more than its nominal price. The question is: who really wants secure software and under what circumstances?

  • John  - Security Directions

    Rapid development is only scratch of surface. Industry willingness and financial environment are real drivers.

Only registered users can write comments!