Software Security's Journey to the Mainstream
It’s 2023. Threats aren’t just a consideration, they are a priority in the software industry. As a result, Product Engineering and DevOps teams have taken a more proactive role in the prevention of vulnerabilities. There is nothing more embarrassing to a developer than finding out your luxury home is actually a house of cards in front of stakeholders due to a bug that could have easily been detected with a testing tool.
Luckily, for everyone involved, we have the technology today to find potentially harmful coding errors before they can cause harm. But that hasn’t always been the case.
Let's take a trip in the 'way back machine' to the early days of software development and the bumpy start of software security.
In the Beginning…
About two decades ago, key stakeholders of a well-known software firm attended a meeting about their firm's website security. On the agenda was a read-out of the results of an external penetration test conducted by a troupe of ethical hackers. This team built a reputation for being skilled at what they do and was being sought out to conduct these assessments.
We were only moments into the meeting before the company’s top developers exited the room, muttering expletives in embarrassment for what they had missed and frustration for what now must be fixed.
Bad News Travels Fast
Word soon traveled through the company of an easy-to-exploit code flaw found in production. The simple fix wasn't possible, and attempts at remediation only made it worse. The devastating effects of this flaw spared no one. The landscape of application security as we knew it had just been forever altered.
The White Hats are Coming!
The only people at the time with the skills to spot exploitable code were called 'Hackers' and akin to practitioners of the dark arts! To most they were criminals, causing havoc and stealing data, money, and access to private, public, and government systems.
From them arose a moral sect with pure intent; to become known as "white hat hackers”. These were good guys, the security heroes, who could be dispatched to find security bugs in software, both great and small.
Following their arrival and growing utilization came a rush of security-related triage and rework causing mostly panic. The chaos that was created and the increased work that followed greatly impacted engineers and developers. They were completely unaware of how the flakes of software security awareness would snowball and just keep rolling, accumulating until it was clear that security issues weren’t going away and better tools were needed to detect them.
Although the ability to spot code vulnerabilities with the help of an automated "crawler" or "scanner" was slowly developing, the ability to be proactive was still unattainable due to the high cost of tools and staff. While the creation of software also created billionaires, the importance of software security was barely a thought. Only a few contemplated the future problems that would cause terror in the world. It only took a few global attacks and major public threats before the importance of trustworthy systems began to take hold.
Ignorance is Definitely Not Bliss
Because getting advanced insight into code security posture remained impractical for most, the unwanted and potentially embarrassing surprises kept coming. Even with detection tools and specialists becoming more accessible, the problem shifted to treating (or not) the growing number of issues being uncovered.
Whether by white hat hackers or a tool, awful news was coming more frequently, and many firms reacted poorly, denying, downplaying, and avoiding the illustrated problems until it was too late.
Hope for the Present (and Future)
Today, nearly every company is a software company in some fashion. Code is developed continually, reaches into homes and industrial systems, and touches every part of our lives.
Thankfully, it is becoming easier to avoid the software security problems of the past. These days we have simple solutions to these complex issues that coders can use to ensure peace of mind for themselves and their clients.
The emergence of simple, reliable, and far more efficient tools and services is unlocking the ability of developers and coders to be more security-minded, allowing them to test the security of their work whenever they want.
If you would like to get a free 1 on 1 AppSec consultation to evaluate your current security posture, you can reach out to us at True Positives.