New software vulnerabilities are announced all the time. In fact, according to the NITS database, last year a new software vulnerability was announced every 57 minutes.
A software vulnerability is defined as a flaw in a software program which may allow a third party or program to gain unauthorized access. Some experts say that over 70% of the nearly 7,000 vulnerabilities discovered last year were exploitable remotely. This remote capability makes them valuable assets for cyber attackers.
The ability to rapidly respond to and mitigate the risks posed by these vulnerabilities is one of the most important parts of computer and network security. Vendors rapidly respond to the reports of newly discovered vulnerabilities in their products. But wouldn't we all be better off if the vulnerabilities did not exist in the first place?
I consulted a 25 year veteran of the software industry that hails from one of the icons of the software industry and posed the following question to him: Based on your experience, how often do software vendors investigate the root cause of reported vulnerabilities? He said, "They Don't -- they jump in and try to create a patch."
I followed up and asked so you are saying they do not look to see if the vulnerability was purposefully programmed? After a significant pause he said, "We never considered that possibility, we only worked to respond to the vulnerability."
If that's not bad enough think about the amount of software being developed offshore. Product liability exists in virtually every other category except software. How would you react if every 57 minutes your car dealer called you and said there is a problem with your car? We have been conditioned to accept software products with these problems and have allowed organizations to protect themselves by hiding behind the armor of the "Software License."
If software vendors, whose products run our critical infrastructure, do not investigate if these vulnerabilities are actually acts of espionage, that would seem to be a critical flaw in our efforts to protect ourselves against cyber attack.