When the subject is cybersecurity, business people are likely to think about phishing and how they and their employees need to avoid getting tricked into giving sensitive information to hackers. Or maybe they worry about the potential disruptions in commerce that can be caused by Distributed Denial of Service attacks, or DDoS, and other types of cyberattacks on programs.
There are deeper, even more pervasive security concerns that business people who use software applications should also keep in mind.
People rely on software to electronically communicate and interact every day, whether on mobile phones, through websites or other electronic means, Scarbrough points out.
“Software is your biggest exposure where malicious intent can be found,” he said.
So, business people need to closely screen the providers of software-based applications that they use. Consumers would be wise to monitor providers, too.
Software products are not designed to have weaknesses. But the programs are written by people and, therefore, are not perfect, Scarbrough said.
The reality is that coding flaws are relatively common, and the resulting weaknesses in software might not have been foreseen by developers. To make matters worse, the process of detecting and fixing risky vulnerabilities sometimes takes years.
In all cases, software patches should be promptly applied.
The 2017 breach at Equifax demonstrates the urgency of software security. The breach was the result of a publicly known software vulnerability and exposed millions of consumer records. It happened after the vulnerability had been identified. A fix became available, but the attack came before the company got around to patching its software.
If businesses are fortunate, the software developer or a friendly corporate user might discover serious flaws so they can be fixed before hackers can exploit them. However, in the computer world, word can spread quickly, and the bad guys are in the loop. The good guys are fighting back, though.
One example is the Open Web Application Security Project, or OWASP. It publishes an annual list of the most serious web application security risks. The objective is to educate software developers and other computer professionals about the consequences of web application weaknesses. OWASP’s website also provides techniques to protect against high-risk problems.
“It’s incumbent upon all of the software developers to promote good habits and reduce vulnerabilities that hackers could use,” Scarbrough said.
Detecting and repairing vulnerabilities are skills beyond the skillset of a lot business managers, but that probably won’t excuse them from the fury of business owners and customers after a serious data breach. Business managers have a duty as well as the motivation to thoroughly screen companies that build their websites and provide other software-based services.
Here, according to Scarbrough, are three important questions that business managers should ask vendors that want to provide their business with software-based services:
- Does the company use an automated testing process to continuously validate new code? If so, does it include tools such as static code analysis, dynamic code analysis and the OWASP Top 10 List to reduce the chance that software with vulnerabilities is being used?
- Does the company use open source software? If so, does it routinely run composition and compliance testing on the software to expose any known vulnerabilities in the open source software?
- Is the company’s software regularly updated? If yes, how often?
“As a business owner, you should be asking those questions,” Scarbrough said.
There is a never an absolute guarantee that hackers can’t exploit software in some way. However, businesses can take precautions and make hacking software difficult, Scarbrough said.