[Software] We can make software secure, but not at a price you'd be willing to pay

[#Hassan.]

 

 

The recent compromise of SolarWinds’ Orion software has led to lots of largely ineffective hand-wringing. I’ve seen more time spent on talking about whom should be blamed for the incident than on how to mitigate the damage that it caused or to reduce the chances of a similar incident happening in the future.

But it has motivated the creation of lots of new initiatives to increase the security of software by adding all sorts of additional processes and oversight to software engineering organizations. These efforts might provide some small, incremental gains in the security of software, but they are probably doomed to do little more than that.

Security of code simply isn’t a priority for some developers, and it’s going to be very hard to change that for much of the software currently in use. And it’s probably the case that even the most careful and thorough software security engineering practices are not going to produce secure commercial software. Here's why.

The problem with FOSS
Free and open-source software (FOSS) is here to stay. Although most FOSS projects don’t go anywhere, those that do can end up making a huge difference. Lots of the Internet now runs on the FOSS LAMP stack—the Linux operating system, the Apache web server, the MySQL database, and the PHP programming language. Commercial alternatives for each of these exist, but they have yet to gain the level of acceptance and use that their FOSS competitors have. Similarly, FOSS components are part of essentially all commercial software these days.

It isn’t easy for software companies to get their developers to take software security seriously. My experience has been that it takes a significant effort backed by the highest levels of management to get this to happen. But it has happened in some places, and the quality of software has dramatically increased in many cases because of these efforts.

But it seems to be much harder to get FOSS contributors to take security seriously. The Linux Foundation's recent 2020 FOSS Contributor Survey suggests that FOSS programmers just aren’t that interested in security. Instead, things such as learning new things and gaining the respect of their peers motivate them. They spend less than 3% of their time responding to security issues. And some of their responses to the survey suggest that it’s going to be very hard to get them to take security more seriously.

Text responses indicated that many respondents had no interest in increasing time and effort on security; it was not simply that they wanted to be proactive. One respondent said, “I find the enterprise of security a soul-withering chore and a subject best left for the lawyers and process freaks. I am an application developer.” Another said, “I find security an insufferably boring procedural hindrance.”

So with a significant amount of software that’s being used today using FOSS in some way, it seems likely that we’ll be dealing with the security issues that come with it for the foreseeable future.