ao link
Business Reporter
Business Reporter
Business Reporter
News
Technology
AI & Automation
Communication
Digital Transformation
Industrial Innovations
IoT
Mobile
Smart Cities
Cyber Security Site
Management
Best of Business
Energy
Future of Work
Healthcare
Human Resources
Future of Enterprise
Retail
Customer Experience
Risk Management
Supply Chain
Finance
FS, Banking & FinTech
CFO
Fraud Prevention
Insurance
Payments
Sustainability
ESG
UN SDGs
Sustainability Talks
Responsible Business
Resources
Print Reports
White Papers
Business Learning
Events
Talk Shows
Supply Chain
Upcoming Episodes
On-Demand
Hosts
Speakers
Sponsors
Digital Transformation
Upcoming Episodes
On-Demand
Hosts
Speakers
MarTech
Upcoming
On-Demand
Hosts
Speakers
FinTech
Upcoming
On-Demand
Hosts
Speakers
teiss (Cyber Security)
Upcoming Episodes
On-Demand
Hosts
Speakers
Sponsors
Jobs
Search Business Report
My Account
Remember Login
Register|Reset Password
My Account
Remember Login
Register|Reset Password
News
Technology
AI & Automation
Communication
Digital Transformation
Industrial Innovations
IoT
Mobile
Smart Cities
Cyber Security Site
Management
Best of Business
Energy
Future of Work
Healthcare
Human Resources
Future of Enterprise
Retail
Customer Experience
Risk Management
Supply Chain
Finance
FS, Banking & FinTech
CFO
Fraud Prevention
Insurance
Payments
Sustainability
ESG
UN SDGs
Sustainability Talks
Responsible Business
Resources
Print Reports
White Papers
Business Learning
Events
Talk Shows
Supply Chain
Upcoming Episodes
On-Demand
Hosts
Speakers
Sponsors
Digital Transformation
Upcoming Episodes
On-Demand
Hosts
Speakers
MarTech
Upcoming
On-Demand
Hosts
Speakers
FinTech
Upcoming
On-Demand
Hosts
Speakers
teiss (Cyber Security)
Upcoming Episodes
On-Demand
Hosts
Speakers
Sponsors
Jobs

Playing the software security blame game

Technology07 Jun 2024

John Smith at Veracode asks whether software providers should be more responsible for security

 

Playing the blame game is often the first port of call whenever a security breach occurs. From the outside, it’s business leaders who tend to take the most public scrutiny for cyber-security incidents, with press and customers alike asking how they allowed this to happen.

 

From there, business leaders turn their attention internally to their IT and security teams and ask the same questions. When a breach occurs, it’s ultimately due to existing security vulnerabilities that should have been identified and addressed earlier; so it’s natural that the blame tends to fall on teams whose main responsibility it is to find these vulnerabilities.  

 

But in recent years, debate has started to shift, with some beginning to question the level of liability that software vendors should hold when a vulnerability in their product is exploited. The idea that more onus should be placed on software providers to put security first has been around for a while, with the House of Lords even recommending holding software vendors accountable back in 2007.

 

But with high-profile breaches now seeming to happen on a weekly basis, such as the Log4j exploits or the CitrixBleed attacks, questions are being asked. It’s often claimed that an emphasis on blaming individual user errors and company decisions for breaches has permitted a culture of persistent security flaws, allowing spiralling security debt (which refers to any vulnerability left unfixed for more than a year) to take hold. 

 

There is much work to be done to improve the state of software security, but it isn’t a matter of blame. Rather, this is an opportunity for vendors to rise to the challenge, prove they are dealing with security vulnerabilities, and act with their customers’ best interests in mind.

 

But where should they begin? The answer lies in proactively reducing security debt.  

 

 

Keeping up the positive momentum

When looking at the progress software developers have made when it comes to addressing flaws, we can see that they are certainly stepping up to the challenge. Our recent State of Software Security Report showed some positive signs, with the prevalence of high-severity flaws reported by businesses having dropped to half of what it was back in 2016.

 

Persistent issues, however, still haunt many organisations. Ther first concern is that more than 70% of organisations are still grappling with security debt – a worrying statistic given how much more susceptible an organisation is to breaches with unaddressed vulnerabilities. 

 

A deeper dive into the statistics shows this could be even more worrying than it appears at first glance. Almost half (46%) of organisations have persistent, high-severity flaws that constitute critical security debt, whilst only 35% of teams demonstrate a sustained capacity to eliminate all critical security debt.

 

If software providers really are to step up to the challenge and solve these security issues, they need to develop a strategy that prioritises reducing security debt for organisations using their software. 

 

 

How can vendors reduce risks 

Software providers play a pivotal role in shaping the security landscape, and as the complexity of threats continues to evolve, their responsibility in mitigating risks becomes increasingly crucial. The most important thing is for vendors to address risk prioritisation and scalability. Good risk prioritisation processes allow software providers to focus on addressing critical vulnerabilities efficiently, and minimise the likelihood of breaches and associated security debt.  

 

Scalability is also essential – software providers need to be able to adapt and respond effectively to varying levels of demand and complexity within their security initiatives. That way, they can put themselves in the best position to respond swiftly and adapt to emerging threats, as well as optimise their resource allocation and focus their efforts on the most critical areas.

 

All this combined will help vendors reduce risks of breaches within their software, minimise organisational security debt, and enhance their ability to protect customers and safeguard their reputation by instilling confidence in their security measures.  

 

The security landscape is increasingly difficult to navigate. With threats from new technologies becoming ever more pervasive and complex, it’s increasingly important to prioritise software security. Yes, organisations must hold themselves accountable for safeguarding their digital assets, and internal scrutiny is necessary to address vulnerabilities effectively.

 

However, as the landscape evolves, so too must our approach to accountability. This shift isn’t about assigning blame; it’s an opportunity for vendors to demonstrate their commitment to security and contribute to a safer digital ecosystem.

 

As we navigate the complexities of cyber-security and aim to reduce security debt across the board, collaboration, accountability, and proactive risk mitigation will be essential for a secure and resilient future. 

 

 

John Smith is EMEA CTO at Veracode

 

Main image courtesy of iStockPhoto.com and solarseven

cyber securityRisk ManagementTechnology

Most Viewed

Business Reporter

23-29 Hendon Lane, London, N3 1RT

23-29 Hendon Lane, London, N3 1RT

020 8349 4363

Cookie Policy
Terms of Business
17 Global Goals
Campaign Schedule
Lead Generation Media Kit
Sustainability Report
Contact Us
Privacy Policy
Terms and Conditions
Breakfast Briefing Media Kit
Media Kit
BR Studio
Content Guide
Traffic Drivers
Case Study

© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543

We use cookies so we can provide you with the best online experience. By continuing to browse this site you are agreeing to our use of cookies. Click on the banner to find out more.
Cookie Settings