Yesterday I was quoted on cnn.com for an article on the New York Times hack. In a nutshell, the Times reported that hackers broke into its network and stole passwords from internal users for months. The article on CNN focused on the ineffectiveness of Anti-Malware products in detecting new forms of malware. Anti-malware products have their place, of course, but are widely acknowledged as being just one part of a holistic security program.
It’s important to underscore the role of secure software development practices in preventing the propagation of malware. When organizations purchase and build software, they increase their attack surface. Every piece of software running on a laptop, desktop, server, or mobile device may very well be an entry point into the system. While traditional end-user security awareness curricula focused on training users to avoid downloading and running executable attachments, the current reality is that simply visiting a web page or opening a seemingly benign file can result in a full system-wide compromise. Increasingly, even visiting a trusted webpage can result in compromise thanks to the growing popularity of Cross Site Scripting as an attack vector.
In most of these cases, malware is taking advantage of issues documented in the Common Weakness Enumeration. After understanding this, a handful of the most prolific software brands like Microsoft and Adobe have really focused on implementing secure software development practices. Most software, however, has yet to catch-up. Organizations are right to beef-up endpoint security and networking monitoring to help contain an attack, but ultimately pressuring software vendors to improve their security practices will have the biggest impact in actually reducing the chances of malware entering the network. Large organizations can take advantage of tools like the OWASP Secure Software Contract Annex to enforce secure software development on their vendors. Smaller organizations that don’t have the clout to demand more secure software from vendors can team up with industry peers. As a group they can let suppliers know that software security above and beyond the current “industry standard” is a differentiator which factors into their procurement process.
We can’t seriously expect users to avoid clicking on “suspicious” links or opening documents that look legitimate. We can seriously expect the organizations that build the applications we run to take secure software development seriously, and reduce the possibility of their code being the enablers of malware.