How responsible are software providers for cybersecurity?

A computer being guarded by cybersecurity.
(Image credit: iStock)

Playing the blame game is often the first port of call whenever a security breach occurs. From the outside, it’s business leaders who tend to take the most public scrutiny for cybersecurity incidents, with press and customers alike asking how they allowed this to happen. From there, business leaders turn their attention internally to their IT and security teams and ask the same questions. When a breach occurs, it’s ultimately due to existing security vulnerabilities that should have been identified and addressed earlier, so it’s natural that the blame tends to fall on teams whose main responsibility it is to find these vulnerabilities.

But in recent years, debate has started to shift, with some beginning to question the level of liability that software vendors should hold when a vulnerability in their product is exploited. The idea that more onus should be placed on software providers to put security first has been around for a while, with the House of Lords even recommending holding software vendors accountable back in 2007. But with high-profile breaches now seeming to happen on a weekly basis, such as the Log4j exploits or the CitrixBleed attacks, questions are being asked. It’s often claimed that an emphasis on blaming individual user errors and company decisions for breaches has permitted a culture of persistent security flaws, allowing spiraling security debt (which refers to any vulnerability left unfixed for more than a year) to take hold.

There is much work to be done to improve the state of software security, but it isn’t a matter of blame. Rather, this is an opportunity for vendors to rise to the challenge, prove they are dealing with security vulnerabilities, and act with their customers’ best interests in mind. But where should they begin? The answer lies in proactively reducing security debt.

John Smith

EMEA CTO, Veracode.

Keeping up the positive momentum

When looking at the progress software developers have made when it comes to addressing flaws, we can see that they are certainly stepping up to the challenge. Our recent State of Software Security Report showed some positive signs, with the prevalence of high-severity flaws reported by businesses having dropped to half of what it was back in 2016. Persistent issues however, still haunt many organizations. Their first concern is that more than 70% of organizations are still grappling with security debt – a worrying statistic given how much more susceptible an organization is to breaches with unaddressed vulnerabilities.

A deeper dive into the statistics shows this could be even more worrying than it appears at first glance. Almost half (46%) of organizations have persistent, high-severity flaws that constitute critical security debt, whilst only 35% of teams demonstrate a sustained capacity to eliminate all critical security debt. If software providers really are to step up to the challenge and solve these security issues, they need to develop a strategy that prioritizes reducing security debt for organizations using their software.

How can vendors reduce risks

Software providers play a pivotal role in shaping the security landscape, and as the complexity of threats continues to evolve, their responsibility in mitigating risks becomes increasingly crucial. The most important thing is for vendors to address risk prioritization and scalability. Good risk prioritization processes allow software providers to focus on addressing critical vulnerabilities efficiently, and minimize the likelihood of breaches and associated security debt.

Scalability is also essential – software providers need to be able to adapt and respond effectively to varying levels of demand and complexity within their security initiatives. That way, they can put themselves in the best position to respond swiftly and adapt to emerging threats, as well as optimize their resource allocation and focus their efforts on the most critical areas. All this combined will help vendors reduce risks of breaches within their software, minimize organizational security debt, and enhance their ability to protect customers and safeguard their reputation by instilling confidence in their security measures.

The security landscape is increasingly difficult to navigate. With threats from new technologies becoming ever more pervasive and complex, it’s increasingly important to prioritize software security. Yes, organizations must hold themselves accountable for safeguarding their digital assets, and internal scrutiny is necessary to address vulnerabilities effectively. However, as the landscape evolves, so too must our approach to accountability. 

This shift isn't about assigning blame; it's an opportunity for vendors to demonstrate their commitment to security and contribute to a safer digital ecosystem. As we navigate the complexities of cybersecurity and aim to reduce security debt across the board, collaboration, accountability, and proactive risk mitigation will be essential for a secure and resilient future.

We've listed the best endpoint protection software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

John Smith, EMEA CTO, Veracode.