CYBERSECURITY: ARE SOFTWARE DEVELOPERS THE ACHILLES’ HEEL?
By Rhonda Chicone, Kaplan University Faculty, Published 2015.
The Software Lay of the Land
No one can dispute that software is everywhere; just pick up your
smartphone and take a look at the applications you have installed. Some
reports suggest that by 2017, there will be more smartphones in the world
than people. Yet smartphones are old news. These days we’re hearing a lot
about the “Internet of Things” (IoT), which includes embedded software
systems that control wearables (a Fitbit or Apple Watch, for example),
software that controls machines that talk to other machines, and smart sensors that are making household
environments intelligent and responsive. The smartphone and IoT widgets are great, and software is what makes
them come alive. The demand for highly skilled software developers will continue to rise, as software will be in
virtually everything as we move forward as a society; it can’t be stopped. Our world is now connected and
technology has been integrated into our lives.
An Example of What Could Go Wrong
Go back to your smartphone. Do you happen to have a banking application on it? If not, let us imagine you do.
Imagine a scenario where the banking application has a flaw (otherwise known as a bug) that is not detected by
the end user (you). In cybersecurity terms, there are certain types of bugs that expose a software application
weakness or vulnerability. These types of software vulnerabilities are typically caused by the software developer
doing something wrong when he or she is coding the software application. Certain types of software vulnerabilities
can cause major harm. People are targeted every single day. For example, ZeuS, a well-known banking malware
(malicious software), was originally discovered in 2007 and targeted Microsoft Windows–based computers. Several
variants have appeared since then, including Zitmo, which takes aim at mobile users (Maslennikov, 2011).
Let us get back to your banking software application. Cybercriminals love software applications that have
weaknesses or vulnerabilities. They are motivated to take advantage or exploit the vulnerabilities and to cause
harm. Here is an example: a cybercriminal tricks your smartphone into thinking it is communicating with a trusted
company’s server or computer; the trusted server thinks it is communicating with you. Instead, the cybercriminal
sits between you and your bank and eavesdrops on your network traffic. You wouldn’t know the cybercriminal was
monitoring your transactions until it is too late. In the cybersecurity domain this is called a man-in-the-middle
attack (MITM).
Those of you who are technically savvy may be saying, “What about SSL or TLS?” Secure Sockets Layer (SSL) and
Transport Security Layer (TLS) are cryptographic software protocols that secure information traveling over a
computer network (remember the Internet is a gigantic network of computers). To use SSL/ TLS correctly,
organizations (or individuals) purchase a certificate from a Certificate Authority (CA). In this example, your bank
would purchase the SSL/TLS certificate from a CA, and it would be installed and configured on your bank’s web
server (the web server is a software application that resides on a physical server/computer). When you browse to
a website and ‘https’ is used in the web address (https://www.myfavbank.com) (or you see the little lock icon) the
“s” means that your bank uses SSL/TLS. Popular browsers like Chrome, Firefox, Safari, Internet Explorer, etc., are
software applications that use SSL/TLS certificates correctly.
One of the first steps in using SSL/TLS correctly is to validate the certificate to be sure that the CA digitally signed it,
as that means it can be trusted. The banking software application that you have been using on your smartphone
also uses only trustedcertificates in a similar way to your web browser. Now imagine if the certificate was not
validated correctly in the banking software application. This would mean your banking information (username,
password) is traveling over the Internet unprotected.
A vulnerability, such as not validating a good certificate or trusting a bad certificate, could be caused by poor
software development or software testing procedures. In 2014, a cybersecurity researcher at the Software
Engineering Institute’s CERT Coordination Center (CERT/CC) created an open source tool (a set of existing software
applications packaged together and made available to the public) to help detect MITM vulnerabilities like the one
in the banking software application example. The researcher automated the software system and tested 1 million
applications and found 23,000+ Android software applications didn’t validate the SSL/TLS certificate correctly
(Dormann, 2015).
What Can We Do to Reduce Cybercrime?
Software is everywhere; we live in an interconnected world. It is important that software developers adopt a
security-first mindset. Secure software development practices existed long before we had the World Wide Web,
the smartphone, and the IoT.
Along the way these practices were forgotten in favor of profitability, "release early, release often" philosophy, a
“good enough” attitude, a new generation of developers slapping code on existing frameworks they don’t
understand, exponential growth of computing power, outsourcing, etc. There are too many reasons to list.
However, in the banking software application example, I argue that if the software developer simply used basic
error checking techniques, the vulnerability would not exist to be exploited by a cybercriminal. If these types of
vulnerabilities were reduced, then cybercrime could be reduced as well. So, are software developers the Achilles’
heel in the cybersecurity domain? I’ll leave that up to you to answer.
References
Dormann, W. (2015, August 21). Announcing CERT Tapioca for MITM Analysis. Message posted to
http://www.cert.org/blogs/certcc/post.cfm?EntryID=203
Maslennikov, D. (2011). ZeuS-in-the-Mobile – Facts and Theories. Retrieved from
https://securelist.com/analysis/publications/36424/zeus-in-the-mobile-facts-and-theories/
Rhonda Chicone is a full-time faculty member at Kaplan University’s School of Business and Information
Technology. The views expressed in this article are solely those of the author and do not represent the
view of Kaplan University.
© 2015 Kaplan University. All Rights Reserved.