Software vulnerabilities – they do it on purpose
The software is made
by people, and since people are
not perfect so software
is not either. At least we believe that. We also believe that security
experts are constantly looking for errors and that they inform developers about discovered flaws so they can patch the software.
But have you ever wondered if they are deliberately making the software
imperfect and that they are intentionally
released on the market as such?
The reason why is
software so vulnerable is basically economic. There are more and more new
devices connected to the Internet each month.
The market is getting bigger and bigger every day. Because there are more
Internet-connected devices and applications to be exploited, there is greater
competition between software providers. The software is being released into the marketplace
before they are ready or by opportunistic developers with low
responsibility in software development and
secure-coding skills.
Companies often
encourage outsiders to look for vulnerabilities by offering rewards. It is easier and cheaper to pay
for someone else to find software
shortcomings than to invest in security
and professional staff.
Developers make software “vulnerable by design”. This might be for
malicious purposes, hidden commercial agendas or surveillance programmes. To save money, software designers use outdated
system architectures, which are open to attack. The market doesn’t want to pay for quality software, and it
prioritizes fast and cheap over good. The result
is that any modern software package contains hundreds or thousands
of bugs, and bugs can be vulnerabilities.
The markets do not punish a software vendor more
severely if a third party discovers a flaw in its product than if the vendor
itself discovers the flaw.
Who pays the price of software vulnerabilities? We do. If we
have to choose between two bad products, we choose a product that is less bad than the other but it is still a bad product. We give money for that same product
putting ourselves at risk of being hacked.
IBM’s “2018
Cost of a Data Breach Study” reports the global average cost of a data breach was
$3.86 million, but according to the IEEE
Computer Society, the cost to repair a single vulnerability in an application during the
design phase is less than $500.
On the other hand, we all know that everything would be better if software
vendors fix vulnerabilities during the development process, but
the market doesn’t reward that kind of delay and expense.
If we put aside all the above, there is still more
dangerous and let’s say, the more expensive problem with software
vulnerabilities. A dangerous problem in Internet
security is “zero-day” vulnerabilities. The term “zero-day” refers
to a newly discovered software vulnerability. There are customers who want
to buy zero-day exploitable vulnerabilities
with no intention to fix the flaws but to use them for personal
gain. Zero-day exploits are hacking techniques that take
advantage of software vulnerabilities that haven’t been disclosed to the public. On today’s high-tech market, zero-day exploits are highly valued. Some companies have built successful
businesses by discovering security flaws in software such as operating systems and popular browsers and
then selling zero-day exploits to high-paying
customers.
There are dozens
of companies selling high-tech weaponry on the zero-day
exploit market and some of them exploit
for every major browser and operating systems. These
companies don’t want to disclose their findings in software vulnerabilities
because it will help fix the flaw and make the software safer for users. They want to keep
this for their customers. This market is becoming larger
and there is even a detailed price list for various zero-day exploits. This new market remains secret and unpatched and that is
what it makes it so
dangerous. It gives software programmers within a company the
motivation to deliberately create vulnerabilities in the products they’re
working on and then secretly sell them to some agency or company.
No commercial vendors have a system
that would be necessary to detect and prove
this kind of sabotage.
But who exactly are these companies
selling to? It’s not just only criminal organizations who pay
for vulnerabilities they can exploit. Now there
are companies and agencies that are selling to
other companies and agencies
and even governments (for offensive or
defensive purposes) and all of them buy vulnerabilities with the intention of keeping them secret so they
can exploit them. Let’s just say they
are selling to the highest bidder but among other things, the firm’s exploits
could still fall into the wrong hands of any regime through re-selling or recklessness. No matter who the buyers are, everyone who
is selling zero-day exploits for
malicious purposes rather than fixing the software is
responsible for making the Internet less secure for users.
So, at this point, we can look at software security as an added cost for the software developers and software vulnerabilities as a way to make more money through selling those vulnerabilities. Let’s keep in mind that one software can’t be patched forever. To stay in business, software companies have to keep improving programs and selling copies of the updated versions or they make software weak to stay in business and sell updated versions. A software vendor releases a new “better” product on the market with new, unknown vulnerabilities. Whatever the reason is why software is vulnerable, the reality is most open source components remain unpatched once they are built into software leaving technology and its users vulnerable to attack. All we can do to protect ourselves, as users, is to regularly install software updates, as soon as updates are available.