‘It’s Not a Bug, It’s a Feature’ – Are Companies Too Complacent with Software Defects?
As the world becomes ever more connected, there has also been too much acceptance of flawed costs, as noted by last month’s CrowdStrike update that crashed computer systems worldwide.
“Vulnerable software or code is a common issue. Ethical hackers commonly find vulnerabilities in web applications to gain footholds in servers during penetration tests to access computing environments. Some of the reasons for these security flaws are software being developed too quickly and not adhering to secure coding standards, and being not tested, or suboptimally tested,” said Phil Wylie, offensive security expert at Horizon3.ai.
“Bugs and bad code are both known issues,” Wylie told ClearanceJobs. “Bad code is a direct effect of bad coding and software security practices. Bad code is a side effect of bad coding and software security practices. Third-party models, application servers, and development languages can have vulnerabilities too, which affect the software making it vulnerable.”
Software is Part of Security
Too often, cybersecurity is seen as a different entity from software – but the two go hand-in-hand. Properly developed software could help mitigate security vulnerabilities.
“Too many people in the industry think cybersecurity is separable from the software base like it is something you can paste on at the end of a build,” suggested James Purtilo, associate professor of computer science at the University of Maryland.
Nothing could be further from the truth, he told ClearanceJobs, adding that security is one of the several important ingredients that need to be baked into the cake.
“Today’s prevalence of flawed software products stems in part from the idea that you can promote cybersecurity in isolation since higher education has squeezed traditional software engineering programs to favor trendy cyber offerings,” Purtilo continued. “We just don’t prepare young software engineers as in the past, and for this blame campus administrators who are keen on marketing new tracks. They prioritize lab resources and hiring in pursuit of the shiny cyber label, and meanwhile, there is less for those of us who research and teach the enduring practices that promote quality. If you learn how to design for quality, then it is not a hard stretch to ensure security as well; the best investment in cybersecurity would be to flesh out solid software engineering programs again.”
Click HERE to read the full article
The Department welcomes comments, suggestions and corrections. Send email to editor [-at-] cs [dot] umd [dot] edu.