Software vulnerabilities – they do it on purpose

RapidVPN/ July 4, 2019/ Blog/

The software is made by people, and since people are not perfect so software is not either. At least we believe that. We also believe that security experts are constantly looking for errors and that they inform developers about discovered flaws so they can patch the software. But have you ever wondered if they are deliberately making the software imperfect and that they are intentionally released on the market as such?

The reason why is software so vulnerable is basically economic. There are more and more new devices connected to the Internet each month. The market is getting bigger and bigger every day. Because there are more Internet-connected devices and applications to be exploited, there is greater competition between software providers. The software is being released into the marketplace before they are ready or by opportunistic developers with low responsibility in software development and secure-coding skills.

Companies often encourage outsiders to look for vulnerabilities by offering rewards. It is easier and cheaper to pay for someone else to find software shortcomings than to invest in security and professional staff.

Developers make software “vulnerable by design”. This might be for malicious purposes, hidden commercial agendas or surveillance programmes. To save money, software designers use outdated system architectures, which are open to attack. The market doesn’t want to pay for quality software, and it prioritizes fast and cheap over good. The result is that any modern software package contains hundreds or thousands of bugs, and bugs can be vulnerabilities.

The markets do not punish a software vendor more severely if a third party discovers a flaw in its product than if the vendor itself discovers the flaw. Who pays the price of software vulnerabilities? We do. If we have to choose between two bad products, we choose a product that is less bad than the other but it is still a bad product. We give money for that same product putting ourselves at risk of being hacked. IBM’s “2018 Cost of a Data Breach Study” reports the global average cost of a data breach was $3.86 million, but according to the IEEE Computer Society, the cost to repair a single vulnerability in an application during the design phase is less than $500.

On the other hand, we all know that everything would be better if software vendors fix vulnerabilities during the development process, but the market doesn’t reward that kind of delay and expense.

If we put aside all the above, there is still more dangerous and let’s say, the more expensive problem with software vulnerabilities. A dangerous problem in Internet security is “zero-day” vulnerabilities. The term “zero-day” refers to a newly discovered software vulnerability. There are customers who want to buy zero-day exploitable vulnerabilities with no intention to fix the flaws but to use them for personal gain. Zero-day exploits are hacking techniques that take advantage of software vulnerabilities that haven’t been disclosed to the public. On today’s high-tech market, zero-day exploits are highly valued. Some companies have built successful businesses by discovering security flaws in software such as operating systems and popular browsers and then selling zero-day exploits to high-paying customers.

There are dozens of companies selling high-tech weaponry on the zero-day exploit market and some of them exploit for every major browser and operating systems. These companies don’t want to disclose their findings in software vulnerabilities because it will help fix the flaw and make the software safer for users. They want to keep this for their customers. This market is becoming larger and there is even a detailed price list for various zero-day exploits. This new market remains secret and unpatched and that is what it makes it so dangerous. It gives software programmers within a company the motivation to deliberately create vulnerabilities in the products they’re working on and then secretly sell them to some agency or company. No commercial vendors have a system that would be necessary to detect and prove this kind of sabotage.

But who exactly are these companies selling to? It’s not just only criminal organizations who pay for vulnerabilities they can exploit. Now there are companies and agencies that are selling to other companies and agencies and even governments (for offensive or defensive purposes) and all of them buy vulnerabilities with the intention of keeping them secret so they can exploit them. Let’s just say they are selling to the highest bidder but among other things, the firm’s exploits could still fall into the wrong hands of any regime through re-selling or recklessness. No matter who the buyers are, everyone who is selling zero-day exploits for malicious purposes rather than fixing the software is responsible for making the Internet less secure for users.

So, at this point, we can look at software security as an added cost for the software developers and software vulnerabilities as a way to make more money through selling those vulnerabilities. Let’s keep in mind that one software can’t be patched forever. To stay in business, software companies have to keep improving programs and selling copies of the updated versions or they make software weak to stay in business and sell updated versions. A software vendor releases a new “better” product on the market with new, unknown vulnerabilities. Whatever the reason is why software is vulnerable, the reality is most open source components remain unpatched once they are built into software leaving technology and its users vulnerable to attack. All we can do to protect ourselves, as users, is to regularly install software updates, as soon as updates are available.