The SolarWinds and Colonial Pipeline hacks have brought security to the fore of software development. Once again. And again, our “thoughts and prayers” go out to the customers of those companies, and the companies themselves, harmed by the attacks.
I say this because we seem unable to get a handle on either, not unlike the mass shootings that plague America — and please, do not mistake this metaphor as the conflation of killings and software breaches.
In both cases, I place the blame at the feet of the industries. Despite the human cost, the gun industry has a vested interest in weapons proliferation. In software, our industry has an interest in giving people the tools they need to move more quickly, pounding the business users of their platforms and devices with messaging that if they don’t deliver software faster, fickle humans will leave the store they love for another whose website responds a couple of seconds more quickly, or who can provide a package to your doorstep a few hours sooner.
Some might call this heretical orbiting the hand that feeds us. That is not what this is meant to be. I am awed by the changes I’ve seen covering this industry for over 20 years. Who could have envisioned the cloud, Kubernetes, edge computing, or Infrastructure as Code back then?
Yet, for all the advantages the cloud provides, we never saw the kinds of damaging hacks and data losses we’re seeing today when applications were run in on-premises data centers, behind firewalls, and with code that didn’t rely on calls to so many outside services, so the attack vectors were minimal. Ransomware? Millions of social security numbers and credit card numbers are stolen? Unacceptable and almost entirely preventable if our industry took security as seriously as it does speed to market.
Security — like comprehensive software testing — slows delivery. There’s a reason cross-site scripting and SQL injection remained on the OWASP Top 10 list of application vulnerabilities for over a decade — organizations see security as a necessary evil, not as their priority. Meanwhile, the “bad actors” on the other side have made breaking into applications and systems their top priority — it is, in fact, their reason for being. In the Colonial Pipeline hack, they had 4.4 million good reasons to hold the energy pipeline hostage.
What we need to do to curb this damage requires a reset of priorities. Security must be a critical consideration for all software releases. Not something to merely be “shifted left,” adding to the list of things developers have imposed upon them without the necessary knowledge and training to do it effectively. We’ve put the speed cart before the security horse, and it costs society in a big way.
I cannot argue against many benefits of speed and agility to organizations. Delivering new features quickly based on customer requests and user data is essential for any business. But when quality suffers through insufficient testing and security due to a lack of diligence, that more than offsets the gains that speed offers.
The Colonial Pipeline attack alone has caused large portions of the Eastern Seaboard not to have gasoline available, and where it can be bought, the price has increased by nearly a dollar a gallon in some places.
Some have again called on the government to take the lead on cybersecurity on our vital infrastructure. This column once supported that idea when data leaks and identity theft began to occur. Yet, federal efforts to control gun violence — or even prevent foreign governments from interfering in our elections — show they will not handle this crisis either.
No, it is up to our industry to change the notion that security is some necessary evil to which lip service is paid so the speed of innovation isn’t impeded. Perhaps, it’s because software breaches usually only result in monetary losses and — unlike the gun industry — not human lives. Perhaps, like the culture changes required to implement many of the new processes created for software development, efforts on security require even more time and concerted effort to achieve.
Yet, I remain optimistic security initiatives being put in place today can slow the invasion of our systems and stanch the bleeding of data. It will take a renewed commitment to prioritize security in software delivery.