Poor patching is still one of the biggest security issues
The bulk of the software on which we rely has not been written with sufficient rigour and we are paying the price, says Tony Dyhouse.
Tony Dyhouse, director of the Trustworthy Software Initiative
In corporations with a complex information systems infrastructure comprising many different components, the planning and resources needed to patch can be considerable, but if not done in a timely fashion it leaves the system exposed to failure and compromise.
This is as much an awareness and policy issue as a technical one. For this reason the Technology Forum, a partnership between UK government and 16 global leaders from the technology sector including IBM, Dell Secureworks and Microsoft, joined forces with Trustworthy Software Initiative (TSI) to bring the importance of software maintenance to people's attention through awareness raising and practical guidance.
What is the danger?
Software failure can be devastating to a business. The implications of security breaches are well documented – loss of customer trust, fines, compensation claims. The likes of Sony and Adobe will testify to this.
But it goes beyond hackers exploiting vulnerabilities to steal data. Internal errors can be just as damaging. A system crash can mean an inability to do business.
In 2012 RBS applied what should have been a routine software update to its job processing system. When a problem was noticed, it was decided to uninstall the software without testing the consequences. Furthermore, the software upgrade selected was not compatible with the previous version.
As a result, a backlog of 100 million transactions built up, ATMs shut down, salaries and retail transactions went unpaid, and RBS's share price fell. Almost 17 million customers were unable to access funds and process payments. To date it has cost RBS £231 million in fines, compensation and extra payments to staff.
Last year an error was spotted in Xerox's image processing software which misread numbers, printing scanned numbers differently. In the case of the person who discovered the error, they were dimensions for building construction plans. It's clear to see that such an error could have serious consequences.
These types of problems will only become more common if we do not improve coding practice. The Internet of Things (IoT) is producing an increasing reliance on software distributed via app stores. This does not come with the same level of testing as established software companies with standards in place – though even they don't always get it right.
People building these products need to appreciate they will become part of a decision-making chain. For example, there is a growing interest in wearable health technology, where a user can “self-monitor” their health. However they may chose to share that data with their clinicians, who in turn use it to inform the choice and dosage of medicines prescribed. How much thought was given to this when writing the software?
What do companies need to know?
Patching software can be a resource intensive exercise for corporations with a large and diverse IT estate. There are risks which have to be managed. However, delaying patching leaves systems exposed to failure and compromise – a risk which will eventually happen, and from which a business can struggle to recover.
The best approach is to have a strategy for ensuring you can trust your software, following the principles laid down in The Trustworthy Software Framework (TSF).
The TSF covers issues such as understanding the risks, separating secure environments, validating data output, reviewing system response in failure mode, and designing systems to withstand or minimise effect of disruptive incident. It forms part of the BSI's PAS 754:2014 Software trustworthiness – Governance and management – Specification.
Not all software needs a high level of trustworthiness, and measures need to be pragmatic and cost effective. To this end the TSI has defined five levels of trustworthiness. Much of the software used by businesses in their daily operation only needs to be at the lower levels, for which TSI has provided a set of measures called the “Trustworthy Software Essentials” to address the preparatory lifecycle, which complements the “Cyber Essentials” initiative launched by UK Government to address the in-service lifecycle.
No software is foolproof. We do not aim to achieve software with zero defects; it's just not possible in anything other than trivially small items of code. However, ensuring best practice could prevent the kind of breaches outlined above.
What are we doing to help?
A good proportion of the breaches over recent years could be avoided by better policies. The TSI works on the so called “Pareto Principle” – 80 percent of the effects come from 20 percent of the causes – which can largely be simply addressed.
This has two obvious strands – getting those writing software to ensure it is trustworthy from the start, and ensuring those using it keep it updated.
For the former, we are working with various approaches and with existing schemes for assessment for software realisation to allow formal recognition of those who fulfil the criteria, allowing them to demonstrate they meet certain levels of trustworthiness around safety, reliability, availability, resilience and security. This effort is being supported by a number of companies both buying and selling software.
For companies using software, the challenge is mostly about awareness. We need to create demand for people to buy trustworthy software. When faced with a choice between similar products, we want people to understand the importance of choosing the more trustworthy one, even when there is an increased upfront cost. The examples above should illustrate why this is cost effective in the medium to long term.
We are supporting a greater appreciation of ensuring software is trustworthy in a variety of ways, from developing guides to producing awareness-raising videos explaining in plain language the dangers of failing to patch and update systems.
Our hope is that these activities will encourage businesses to invest time and resources into the development and maintenance of trustworthy software. Considering the substantial risks untrustworthy software can pose to individual businesses and the UK economy as a whole, it is important to raise awareness of this important issue. People need to realise software issues are responsible for 90 percent of IT failure and breaches, and software trustworthiness is an essential part of any cyber-security strategy.Contributed by Tony Dyhouse, director of the Trustworthy Software Initiative.