So, you think your code is secure? How hackers fooled the world
There is a strong misconception among businesses that the code on the many applications they procure, and implement are secure. In fact, it is even worse. There exists an environment of complacency and reliance by businesses (and consumers) that code is not a primary target of hacker breaches. Hackers are happy that so many have been fooled.
The reality is that software coding can be a complex task, and that complexity connotes to more vulnerabilities for a hacker to exploit, especially during the process of deploying and maintaining the code. A favorite tool of hackers is to find and exploit flaws in the software code of the device or endpoint.
An article in The New Republic succinctly describes why software code can be so easy to breach, “Generally speaking, the term “software security” is used to denote designing, building, testing and deploying software so as to reduce vulnerabilities and to ensure the software’s proper function when under malicious attack. Vulnerabilities are a special subset of software defects that a user can leverage against the software and its supporting systems. A coding error that does not offer a hacker an opportunity to attack a security boundary is not a vulnerability; it may affect software reliability or performance, but it does not compromise its security. Vulnerabilities can be introduced at any phase of the software development cycle—indeed, in the case of certain design flaws, before the coding even begins.”
Vulnerabilities are frequently found in widely used software programs and apps, including Microsoft Office. The actual apps may contain malicious lines of code that may allow permissions to access and extract contact information, personal private media, emails, messages, and stored passwords. Most businesses are not aware of this reality.
Also, systems and apps must be patched an updated regularly, but patches are often neglected by IT shops and even an updating patch can be risky as evidenced in the recent Solar Winds Hack.
In cybersecurity, the weakest point is often the human element. That includes coding. Many developers to not have the training to protect against authentication weaknesses, and application logic flaws when they are creating code. That is why common IT vulnerabilities and exposures (CVEs) are still a security challenge. Please see the graph below.
Number of common IT security vulnerabilities and exposures (CVEs) worldwide from 2009 to 2019
There are remedies to overcoming inherent security flaws in code by testing and implementing malware threat hunting capabilities. To be secure, supply chain, legacy and in-house developed applications, and patch validation need to scan and analyzed for vulnerabilities. Automated behavioral computation algorithms can be used to detect insecurities in apps and programs, unless that testing/hunting is done on a regular basis, hackers will continue to have the upper hand.