Pied Piper Introduces House 1.0

Suburbia - Silicon Valley Style

Imagine this scenario with me. You're living the American dream. You've just moved into your first house - a brand new home in suburbia, in a brand new subdivision with hundreds of newly completed homes. You have central air, a pool, room for your cars in the climate controlled garage, and a 2000" TV that could be seen from space if you didn't have a roof over it. Life is good. But on the second Tuesday of the month you notice a truck coming down your block dropping off new water heaters at every home. On the heater is a note that says you need to install this ASAP because the one you have installed is defective and could explode like a rocket. Weird, you think, but ok, if it is that important. Then, like clockwork, on the second Tuesday of the next month another truck comes by and drops off a new sliding patio door to every house with a note suggesting that you need to install it ASAP as the installed one is prone to shattering with changes in humidity. Wow, you think, it's a good thing they're looking out for me, but I really don't know how to properly install a new patio door. So you leave it in the garage until you can figure out how to install it. Then, about a week later you get told that you need to do something to protect your roof because it turns out the shingles you have can catch fire in direct sunlight. Unfortunately the builder doesn't have new shingles to drop off for you, they're working on getting some built that should work for your house, but at least they've recommended how you can use tarps to mitigate the threat of fire. On the news that night you hear that this is what may have burned down a neighbor's house across the subdivision yesterday. Wow, you think, I'm so glad the builder is looking out for me. This continues on for about 3 years, and then one day the builder comes and tells you you need to upgrade to Suburban House 2.0 since this one isn't supported anymore, which is weird because it still seems fine to you, but you do admit that the monthly fire drills - your neighbors have taken to calling it "DIY Tuesday" - seem excessive.

I know that sounds far fetched, but this is exactly what happens when you buy (or, more commonly lease) software today. You're even so conditioned to it you probably don't notice, especially because your home computer probably auto-magically applies the monthly patches in the background - at least for the operating system. You're far more "on your own" with the applications running on your computer.

But You Don't Have To Take My Word For It

In August of 2024, Director of the US Cybersecurity and Infrastructure Security Agency (CISA) Jen Easterly addressed BlackHat attendees in Las Vegas, where she made the situation clear:

We don’t have a cybersecurity problem. We have a software quality problem.

A bold and unequivocal statement that has the unmitigated gall to be correct. After all, what other part of our world do we allow half-baked products to be used as critical infrastructure? What other critical part of our economy do we allow to be overhauled regularly on the second Tuesday of the month? You don't wake up once a month to a bulletin telling you that the flour, sugar, and dishwasher detergent you have in your cupboards needs to be replaced because something was found wrong with them all?

Yes, Software Is Unique

I know that. I was writing "hello world" programs in TI Extended Basic about the time I graduated from "See Spot Run" books. I've written in that, Pascal, Fortran, and too many scripting languages.

One of the absolute beauties of software is the amazing ability to create feature changes at will, and in our home metaphor it is like being able to add on an extra floor to the house without needing a single nail, stud, or can of paint.

But we're not really talking about feature enhancements, we're talking about security fixes. We're talking about the bare minimum of software that works and works securely. I know, easier said than done, but that's sort of the point, isn't it?

Wait, You're Just Blaming Developers!

No, I'm definitely not. I will tell you I was never once "taught" how to write my code in a secure way, in the countless hours of instruction I have received on the topic. I've also never been rewarded for writing "secure" software. Have you? My guess is that if you're a professional developer you've been rewarded for writing "fast" software, or "feature rich" software.

Now let's talk about open-source software. Log4j was never written to be enterprise software. It, like most if not nearly all open-source software, was written by somebody trying to solve a problem they had. It was shared with the world because this kind soul figured that if they were having this problem somebody else was too, and why not share their solution? Two decades later it was suddenly the center of a massive panic attack by the software community in general because it turned out to be insecure. Was that really Ceki Gülcü's fault? Or are the companies that decided to use his software as an unquestioned part of their products and solutions really to blame? How many of them reached out to the Log4j maintainers to help them secure that software? How many of them forked Log4j and added security themselves? How many of them compensated that team with funding or other support so they could spend more time securing the software?

It's Economics Dummy!

I get it. Culturally, first to market generally wins, at least for a while. I'm not naive enough to think that we're going to suddenly stop chasing the almighty dollar to flip to secure code by the end of next year, though I wouldn't mind that. No, I get it. But I think there's a case to be made for "penny wise and dollar dumb" on this issue. Just ask all the customers of MOVEIt. Heck, even cybersecurity software vendors aren't immune from this issue. (I'm still waiting for the legal action on these - Delta airlines, I'm looking your way) Oh, and we literally let them skate on this because somewhere buried in the EULA/T&Cs/License it says something about the use of the software is "as is" with "no warranty." In any other industry I'm aware of, "new" product has a warranty, "as is" is for used cars and sketchy home purchases.

But back to the penny wise and dollar dumb: how many billions of dollars are spent each year on "add on" cybersecurity solutions that would be unnecessary if software was secure to begin with? We'd be left with what, phishing and credential harvesting as the major issues?

So What Do We Do?

Here, again, CISA leads the way with recommendations, but their recommendations are primarily aimed at corporate software buyers. How about the rest of us?

Software Development Companies

Please, take a direct interest in the security of the components you use. Support the open-source communities whose software you're using otherwise for free. Be comprehensive about secure development of your own components, and test thoroughly, repeatedly, and often.

End Consumers and Small Business Buyers

Influence. Share your views. Share your concerns. Make it apparent that you expect secure software. Support providers who make it a point to secure their software.

We can all be the change we want to see about this. Let's work together to make sure our software houses are built right the first time, and look forward to those updates for features, not fixes.