Innovation at the expense of security

(Image credit: Pixelcreatures/Pixabay)

For every company in every industry, competition is as likely to come from an unknown startup as it is from long - established rivals. In the modern economy, if you’re not innovating fast enough, you’ll get run over by someone who is. Just ask broadcast and cable television companies about Netflix. Ask Hilton and Marriott about Airbnb.  The fear of death can be a powerful motivator.

Some of the biggest challenges to incumbents are leadership teams resting upon their laurels, deeply embedded cultural norms, and long-standing silos erected by software development, application security, and IT operations teams.  The entrenched cultural norms and silos fuel friction decrease velocity, and diminish innovation.

This stark reality, and fear of death, is why many organisations no longer view software development as a cost of doing business, but rather as a core competency and strategic imperative that defines the entire enterprise. All companies are now software companies. It’s also why organisations around the world are increasingly embracing a concept called DevOps - where the walls between IT operations and developers are torn down, wasteful practices ripped out, and collaboration at scale rewarded. The faster companies bring value to market, the more the market rewards them.

The magic of open source

Enter open source development practices - the miracle drug of choice powering DevOps and modern software innovation.

Open source components, or reusable, community developed software parts, allow companies to save time and money, improve quality, deliver business agility, and mitigate (some) business risk. The concept is not new. Long before the advent of open source, Isaac Newton famously said, "I see further by standing on the shoulders of giants and I discover truth by building on previous discoveries." This idea is a primary reason why open source components are so attractive to development teams.  The same holds true for the increasing use of containerised applications. Simply stated, free and open access to pre-existing software components and containers eliminates the reinvention of wheels and exposes software to a global community of “co-developers,” to ideate on and expand upon.

With so many benefits - it’s no wonder that 80 – 90 per cent of a modern application is composed of open source components.  And also why 80 - 90 per cent of modern infrastructure is being containerised.

You might be asking yourself - what’s the catch? Well - while these parts play a vital role in driving innovation and powering the world as we know it, not all parts are created equal. Our analysis of downloaded open source components from the Central Repository ( the largest and most active database of Java open source components) found that in 2017, 1 in 8 components downloaded by UK developers contained a known security vulnerability.

These truths are not unknown in the market.  Heartbleed was a notorious open source vulnerability.  Equifax was breached through a vulnerable open source component.  And according to the 2018 DevSecOps Community Survey of over 2,000 IT professionals, 3 in 10 suspected or confirmed an open source related breach in 2017.

According to the same survey, only 6 in 10 organisations have policies requiring the evaluation of open source components at some stage of the development lifecycle.  But with much of that requirement relying on tedious manual reviews outside of the development pipelines, the reality is that policies are often ignored (46 per cent of the time) and defects continue to make their way downstream into finished applications. Open source and DevOps give companies the power to stay alive, and in many cases out-thrive their competitor, but that innovation shouldn’t, and doesn’t have to be, at the detriment of their customers.

The role of regulation

The UK’s National Cyber Security Strategy 2016-2021 declared that “Businesses and organisations decide where and how to invest in cyber security based on a cost-benefit assessment, but they are ultimately liable for the security of their data and systems.” That notion of liability is increasingly being applied not just in the UK but around the world, as governments turn up regulations.

For instance, both French legislators and the UK government recently announced tougher guidelines for  device manufacturers. The UK specifically demanded  that security must be built into smart devices from the very beginning and that software is automatically updated.

The EU has passed one of the most widely discussed pieces of regulation with the forthcoming General Data Protection Regulation (GDPR).  Article 32 of the GDPR states that companies must “implement appropriate technical and organisational measures” to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.” When combined with Article 25, which mandates that data protection measures be implemented “by design and by default”, it’s clear that privacy and security must become ingrained in every element of IT infrastructure. If you fail to follow these rules and known vulnerabilities end up inadvertently helping hackers steal sensitive consumer data, you could be fined up to €20 million, or 4 per cent of global annual turnover – the greater of the two.  

Echoing the European policies, four U.S. Senators introduced a bipartisan piece of legislation called the Internet of Things Cybersecurity Improvement Act. According to a fact sheet released alongside the legislation, “While ‘Internet of Things’ (IoT) devices and the data they transmit present enormous benefits to consumers, the relative insecurity of many devices presents enormous challenges.” The legislation specifically calls for vendors selling IoT devices “to provide written certification that the device does not contain, at the time of submitting the proposal, any hardware, software, or firmware component with any known security vulnerabilities or defects.” 

With great power comes great responsibility

This line of regulation aimed at consumer protection is not new.  Five years ago, no automaker could ship known defective Takata airbags in a vehicle.   Regulators introduced cattle feed guidelines to limit the spread of mad cow disease over 20 years ago.  

Passing the onus onto device manufacturers and organisations developing software to ensure that is secure from the beginning and over time, reflects similar regulations guiding consumer safety across other industries.  It is especially important when software now controls our health (e.g., internet-connected pacemakers), our transportation (e.g., autonomous vehicles), and our finances (e.g., online banking applications).

Today, application attacks and breaches are often the result of easily exploited – and easily rectified – vulnerabilities. While we like to think companies would self-regulate their cybersecurity hygiene in our software driven world, daily breach headlines indicate that government regulations might be a necessary motivator for action.

If no other manufacturing industry is permitted to ship known vulnerable or defective parts in their products, why should software manufacturers be any different? In any other industry it would be considered gross negligence.

Never pass known defects downstream

Fortunately, many of the challenges related to the use of known vulnerable software components are easily solved.  Large and small enterprises alike are putting DevSecOps principles and practices to work.  One of the most important principles originates from DevSecOps leader Gene Kim and his novel, the Phoenix Project, which directs, “Emphasise performance of the entire system and never pass a defect downstream”.  

For firms deciding to follow this, automation is imperative. The stark volume of artefacts consumed by organisations today would outpace any attempt to manually review them to determine their health.  Machines can accomplish checks in milliseconds where humans might take hours to reach similar conclusions.  This reality is akin to the need for robotic analysis of parts being assembled on as high-velocity electronics manufacturing line - human examinations could never keep pace and are prone to error.

The question is not, can we develop secure software?  Certainly we can.  The application economy can grow and prosper in regulated, secure environments, if managed properly. On the other hand, if companies decide to ignore proper cybersecurity hygiene, thinking they’re opting for innovation, it may be more than just their death they’ll be responsible for.

Derek Weeks, Vice President at Sonatype

Derek Weeks

Derek advocates supply chain management principles in DevOps practices and is VP and DevOps advocate at Sonatype. He is an international speaker lecturing on software development, DevOps, and application security. He is results-oriented driven executive with proven ability to successfully capitalize on emerging market trends at large and small companies.