Companies can't afford to develop software for every device connected to their networks. While in-house, mission-critical hardware often gets a dedicated team of IT professionals to create and test code, other end points such as point-of-sale (POS) devices, printers and routers aren't given the same scrutiny. As noted in a recent IT News article, however, old strains of POS malware like Backoff are making reappearances while new variants such as Soraya and Chewbacca are starting to infiltrate systems. The cause? An assumption on the part of companies that software security testing is handled by third-party providers before devices are sold and shipped. There's a simple lesson here for businesses: Assume nothing.
Karl Sigler of Trustwave puts it simply: "These third-party vendors are not in the security business. They want to provide service in the most cost-beneficial manner they can. Security doesn't demonstrate an up-front benefit. They can't say they saved X amount of money by using security." In other words, security isn't a selling point since it speaks to what might happen instead of how products must perform. Functionality trumps security every time — and that's not such a bad thing, but it is something product purchasers must be aware of.
So what can companies do to ensure they get the best software for their IT budget? One option is to ask for exactly what they want. If businesses make security a priority in any purchase, suppliers will quickly learn that untested code simply isn't enough. This poses several problems, however. First is the fact that security doesn't come free. Properly testing code requires both rigor and automation, and most third-party vendors aren't set up to provide this kind of scrutiny. As a result, buying secure applications comes with a price tag. Vendors willing to tackle security on the cheap, meanwhile, lead to a second problem: improperly tested code that carries a weak assurance of "good enough."
Another option is to leverage the help of a third-party security service to test all applications on a corporate network, regardless of origin. Here, vendors take a backseat to the strength of their code and companies get the benefit of knowing which outsourced suppliers are up to snuff and which should be avoided moving forward. With the number of vendor-sourced applications even small companies use daily skyrocketing thanks to mobile and cloud use, this kind of testing protocol makes life easier.
But the ultimate lesson here? Since buyers of products can't be certain that the seller considered security requirements during the development process, they must take responsibility for both the software they build and the software they buy. This starts with testing any products that touch or process critical data, such as POS systems that handle credit-card transactions, but in the long term requires a new discussion. Software vendors must come to understand that security is not optional — it must be incorporated into product development itself. If buyers don't put their money behind security, sellers will never prioritize it.
Third-party software isn't naturally secure, and vendors don't put time or money into software security testing. The bottom line? Assume nothing; test everything.
Photo Source: Flickr