The US National Highway Traffic Safety Administration is dedicated to its mission: "To save lives, prevent injuries, and reduce economic costs due to road traffic crashes, through education, research, safety standards, and enforcement." Is it time to create a similar organization dedicated to consumer software security? The mission would be quite similar: to ensure software meets basic security and safety standards and is easy for consumers to understand, implement, and sustain. Today, cars must meet a basic safety standard before they are cleared for sale to the public, but software does not. Meeting Basic Safety and Security Needs Uber's Android app has more than 10 million lines of code, nearly as many as the typical smartphone operating system, which comes in at around 12 million lines of code. Many affect security and privacy and are configurable by end users, which is important to most users. Many software and device users don't realize that they need to consider each of those configurations carefully. Few software and devices protect users from exposing themselves to attack or overly permissive data access by default, making consumers an easy mark for malicious actors. To increase software security, safety features must be in place by default, but users must also use those features for them to be effective. Creating Safety Ratings One issue with consumer software security is that the software and device manufacturers do not warn people of the danger of using them with the default configuration. Understandably, it's a daunting task for software developers to perform exhaustive software testing to identify and fix all possible bugs before release. The White House has urged enhancement of the software supply chain in section 4 of the Executive Order on Improving the Nation's Cybersecurity. While it's challenging to release bug-free software, warning customers that they should review and modify the default settings is not difficult. This warning should come with every software app and device. The number of security patches required over time to make the application more secure. The security features in the application, such as encryption, authentication, and authorization. What if they came with a security rating upfront? Users could rely on that rating to decide whether they are willing to make a functionality vs. security trade-off. The Consumer's Role in Software Security With so much software in users' hands all day, every day, it's imperative for them to initiate their own security and privacy review of the software and devices they use. Our role as security educators and software providers must be to urge users to review all default settings on new out-of-the-box software and devices and make changes as appropriate. Currently, there are guides available to help users navigate through configuring the most important settings, which gives them the option to decide on the balance between functionality and security and privacy. Consumer Reports published its "Guide to Digital Security and Privacy" to help consumers stay safe online, control online tracking, and protect phones and laptops from attackers. A simple safety rating system that aligns with broader cybersecurity policies of the current administration could ensure that consumers understand the basics of how to keep themselves - and their software and devices - safe and secure.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000