Categorically Unsafe Software

We've had many people ask us why we urge software manufacturers to eliminate entire classes of defect like cross-site scripting, SQL injection, directory traversal, and memory unsafety, as called for in our Secure by Design Pledge.
While it might seem like a novel concept to making software more secure, root cause analysis and mitigation of repeated classes of defect is the norm in industries that have significantly higher levels of quality and safety.
To improve product quality and security at scale, we need to spot patterns of recurring defect so that we can move from addressing each defect one at a time to eliminating them from the start.
Until we learn how widespread various classes of defect are, we won't be able to distinguish between classes of defect that companies should eliminate on their own, and those that require a coordinated effort by the larger software ecosystem.
If you truly align your product security program to prevent defects as early in the development cycle as possible, meaning that you are shifting security left on a timeline, you must contemplate ways to eliminate entire classes of coding error.
The idea is that repeated types of software defects are not the fault of the individual software developer.
See the prevalence of memory safety defects in languages like C/C++ compared to others like Swift, C#, Java, Rust, Python, JavaScript, Go, and Ruby.
Pulling software developers off other tasks to address software defects can be expensive and disruptive to project schedules.
If product teams eliminate enough of the classic defects, they may price some threat actors out of the market.
Many top software products fail to protect their customers from exploitation of the most common classes of defect.
We read in the news about these common defects causing significant damage to companies and government agencies.
We would hope that the software industry would eliminate top classes of defect every few years because doing so would increase the cost to threat actors.
We are still plagued by classes of defect like memory unsafety, XSS, SQL injection, directory traversal, and improper input sanitization.
What's especially noteworthy is that for most of these classes of defect, we have known of ways to prevent them at scale for years, and even decades.
Over the past 17+ years, many software companies have prioritized fixing software defects found in customer deployments over fixing them in their product designs, thereby putting customers at risk and leading to significant real-world harms.
The CWE explains the type of coding error that created the defect.
Ask those software companies what they are doing to eliminate that entire class of defect.
The bottom line is that a secure by design software development program necessitates formal efforts to eliminate entire classes of defect before the product ships rather than playing whack-a-mole with defects that appear on customer systems in production.
For the software manufacturer, a secure by design program that works to eliminate entire classes of defect is likely to be cheaper in the long run and will create a higher quality product that requires fewer emergency fixes.
It is the norm in other industries to perform root cause analysis and to work towards eliminating classes of defect and it is long past time for it to be the norm in the software industry.


This Cyber News was published on www.cisa.gov. Publication date: Mon, 13 May 2024 17:13:06 +0000


Cyber News related to Categorically Unsafe Software

CISA's Flags Memory-Unsafe Code in Major Open Source Projects - A comprehensive new study has unearthed fresh details on the extensive and troubling use of memory-unsafe code in major open source software projects. The chances that fresh insight on a long known issue will spur any immediate changes to the ...
5 months ago Darkreading.com
CISA Report Finds Most Open-Source Projects Contain Memory-Unsafe Code - More than half of open-source projects contain code written in a memory-unsafe language, a report from the U.S.'s Cybersecurity and Infrastructure Security Agency has found. Memory-unsafe means the code allows for operations that can corrupt memory, ...
5 months ago Techrepublic.com
Victory! Police Drone Footage is Not Categorically Exempt From California's Public Records Law - Video footage captured by police drones sent in response to 911 calls cannot be kept entirely secret from the public, a California appellate court ruled last week. The police department is the first law enforcement agency in the country to use drones ...
11 months ago Eff.org
What Is Software Piracy? - Software piracy has become a worldwide issue, with China, the United States and India being the top three offenders. In 2022, 6.2% of people worldwide visited software piracy websites. Software piracy doesn't require a hacker or skilled coder. Any ...
1 year ago Pandasecurity.com
Categorically Unsafe Software - We've had many people ask us why we urge software manufacturers to eliminate entire classes of defect like cross-site scripting, SQL injection, directory traversal, and memory unsafety, as called for in our Secure by Design Pledge. While it might ...
7 months ago Cisa.gov
The Crucial Need for a Secure Software Development Lifecycle in Today's Digital Landscape - In today's increasingly digital world, software is the backbone of business operations, from customer-facing applications to internal processes. The rapid growth of software development has also made organizations more vulnerable to security threats. ...
11 months ago Cyberdefensemagazine.com
Understanding SBOMs - In recent years, the adoption of open-source software in development has surged, now comprising up to 90% of what's built. There is a crucial aspect to consider when integrating open-source software components. To make sure their software is safe, ...
1 year ago Securityboulevard.com
12 Software Dev Predictions for Future - Predicting the future of software development trends is always a tough call. Such trends will also rule the future of the software development industry. Analyzing these future software development trends will put enthusiasts ahead of the competition. ...
11 months ago Feeds.dzone.com
How Patch Management Software Solves the Update Problem - I've never met an IT leader who doesn't know how important patch management is. At Heimdal, we believe patch management software provides the solution to this problem. Patch management software is a technology that allows businesses to automate the ...
5 months ago Heimdalsecurity.com
Consumer Software Security Assessment: Should We Follow NHTSA's Lead? - The US National Highway Traffic Safety Administration is dedicated to its mission: "To save lives, prevent injuries, and reduce economic costs due to road traffic crashes, through education, research, safety standards, and enforcement." Is it time to ...
1 year ago Darkreading.com
CVE-2021-35395 - Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point. Two versions of this management interface exists: one based on Go-Ahead named webs and another ...
1 year ago
New "MITRE ATT&CK-like" framework outlines software supply chain attack TTPs - A new open framework seeks to outline a comprehensive and actionable way for businesses and security teams to understand attacker behaviors and techniques specifically impacting the software supply chain. The Open Software Supply Chain Attack ...
1 year ago Csoonline.com
Essential Features of Cybersecurity Management Software for MSPs - Protect your clients' businesses from cyber threats with Cybersecurity Management Software. A vital tool that aids MSPs in enhancing their cybersecurity practices is Cybersecurity Management Software. In this article, we will delve into the features ...
6 months ago Hackread.com
CVE-2017-8147 - AC6005 V200R006C10SPC200,AC6605 V200R006C10SPC200,AR1200 with software V200R005C10CP0582T, V200R005C10HP0581T, V200R005C20SPC026T,AR200 with software V200R005C20SPC026T,AR3200 V200R005C20SPC026T,CloudEngine 12800 with software V100R003C00, ...
7 years ago
McCaffrey Joins 'ASTORS' Champion SIMS Software Board of Advisors - SIMS Software, the leading provider of security information management software to the government and defense industries - and the 2023 Platinum 'ASTORS' Award Champion for Best Security Workforce Management Solution, is delighted to announce that ...
10 months ago Americansecuritytoday.com
CVE-2017-8163 - AR120-S with software V200R006C10, V200R007C00, V200R008C20, V200R008C30,AR1200 with software V200R006C10, V200R006C13, V200R007C00, V200R007C01, V200R007C02, V200R008C20, V200R008C30,AR1200-S with software V200R006C10, V200R007C00, V200R008C20, ...
7 years ago
CVE-2017-8162 - AR120-S with software V200R006C10, V200R007C00, V200R008C20, V200R008C30,AR1200 with software V200R006C10, V200R006C13, V200R007C00, V200R007C01, V200R007C02, V200R008C20, V200R008C30,AR1200-S with software V200R006C10, V200R007C00, V200R008C20, ...
7 years ago
EdTech Evaluation: Choosing Secure Educational Software - The evaluation of EdTech tools for their security features is crucial in safeguarding data and maintaining a secure learning environment. An edtech security evaluation is essential to determine if the software adequately protects student and teacher ...
11 months ago Securityzap.com
Tax Season Alert: Common scams and cracked software - OpenText is committed to providing you with the latest intelligence and tips to safeguard your digital life, especially during high-risk periods like tax season. Our threat analysts are constantly monitor the ebb and flow of various threats. One ...
10 months ago Webroot.com
92% of companies eyeing investment in AI-powered software - In 2024, buyers are increasingly focused on cost efficiency, AI functionality, and enhanced security, according to Gartner. The report reveals that 61% of buyers are seeking upgrades for more functionality in their recently purchased software. The ...
10 months ago Helpnetsecurity.com
16 top ERM software vendors to consider in 2024 - Enterprise risk management software helps organizations identify, mitigate and remediate business risks, which can lead to improved business performance. The risk management market is rapidly evolving from separate tools across different risk domains ...
11 months ago Techtarget.com
Beware of Expired or Compromised Code Signing Certificates - One of the vital security measures taken in this direction is the use of code signing certificates to prove software authenticity, integrity and security. Code signing certificates, used for digitally signing applications and software, are an ...
1 year ago Securityboulevard.com
Software & Security: How to Move Supply Chain Security Up the Agenda - Software supply chains are under more scrutiny for security issues. The US government mandated software bills of materials for federal software projects so that security teams can understand any potential risks from software components. The ...
1 year ago Darkreading.com
Software Supply Chain Security Checklist - In the ever-evolving landscape of digital innovation, the integrity of software supply chains has become a pivotal cornerstone for organizational security. Software supply chain security is not just about protecting code - it's about safeguarding the ...
11 months ago Feeds.dzone.com
CISA: Most critical open source projects not using memory safe code - The U.S. Cybersecurity and Infrastructure Security Agency has published research looking into 172 key open-source projects and whether they are susceptible to memory flaws. The report, cosigned by CISA, the Federal Bureau of Investigation, as well as ...
6 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)