Some Thoughts on Who Should Pay the True Cost for Insecure Software
May 10, 2013 Leave a comment
- A clear majority of cybercriminals share the same motivation as legal commercial enterprises: the drive for profits.
- It is way too easy for cybercriminals to buy automated exploit kits and execute attacks for financial gain.
The recently released Verizon Data Breach Investigations Report shows that legitimate business has something in common with cybercrime: both are chiefly motivated by profits. The report found that of the 92% of breaches it unearthed that were caused by external bad actors, 55% of those were linked to strictly profit-motivated cybercrime groups. For legitimate business, the profit motive drives companies to focus on developing applications that either reduce the cost of doing business or add to top-line growth. In either case, what is rewarded in application development is speed, functionality and increasingly a good user experience. Secure coding and thorough testing that avoids common vulnerabilities is further down the priority list.
For hackers seeking ill-gained profits from selling stolen credit card numbers or intellectual property, their chief motivation is to find and exploit the vulnerabilities that emerge in production applications – primarily Web applications these days – in order to steal valuable data as well as money. They too seek efficiency, increasingly delivered through automation in easily and abundantly available exploit kits. I was struck by a comment made in a conversation I recently had with security researchers from Eset: there were more of these exploit kits available than cybercriminals to exploit them.
There were a couple of takeaways from that comment that lingered for me. One is that the quality of the code that businesses acquire – whether from major software vendors or hired contractors – is not what it should be, and buyers in fact pay a much higher price for those inadequacies than just the acquisition and maintenance costs which they pay. The added costs derive both from the need to create a rather complex defense-in-depth infrastructure, which still fails to keep up with the changing tactics of cybercriminals, and from the cost of breaches to the enterprise – whether in lost intellectual property, money or reputation. The other takeaway is that there is an incredible waste of good talent spent on finding these vulnerabilities, packaging them up into automated exploit kits (that even come with SLAs in some cases) and peddling them in barely concealed black markets.
What if software buyers could push the responsibility for ensuring the software they buy is truly secure back on suppliers, making those vendors liable should a vulnerability in their code be exploited and cause a financial loss to the software buyer? That could change the equation, putting the incentives where they should be. What do you think?