There is a question pertaining to cyber attacks that continues to pique my interest. Can software be completely secure from all forms of cyber attacks and hackers?
Next week, hackers from all over the world will transcend upon Mandalay Bay in Las Vegas, Nevada for Black Hat Conference and then Defcon. In the wake of cyber attacks, such as WannaCry and NotPetya, and in honor of BlackHat Conference next week in Las Vegas, I feel a need to discuss an ongoing sentiment in IT circles that I find irrational and a bit dangerous.
Ignorance Is a Cyber Threat
In a world that runs on software, anything you don’t know will certainly hurt you. The problem is that many people in the IT profession—far more than I’d like to admit—refuse to consider that there are plenty of unknown vulnerabilities in their infrastructure. This, by nature, leaves business infrastructures open to cyber attacks. History has shown that this is a dangerous mentality and ignorance is a fire that blinds and burns violently.
In order to minimize the risk of cyber attacks on critical infrastructure, IT teams obviously need to be vigilant. I'd also argue that they need to use penetration testing as much as possible. And even if you have all the latest security patches for all software and systems, you will never be completely
risk free from cyber attacks. I would even go so far as to say that software can never be bug free or safe from hackers. Bug free software is impossible because there are an infinite amount conditions that could leave software and systems vulnerable.
Cyber Security is an Endless and Thankless Task
Over the years, I have had many conversations and arguments about how secure software and critical infrastructure can actually be. By secure, I mean it is free from as many vulnerabilities “as possible” that are vectors for cyber attacks. Note that I quoted “as possible.”
Much to my dismay, many of these arguments consist of opposite parties laying claim that there are applications free from all forms of cyber attacks. In other words, there are no security flaws. These claims would equate to the amount of vulnerabilities in any given software or system as being finite.
Some argue that less lines of code and simpler apps are less likely to have bugs and security flaws. Others argue that millions of lines of code are less likely to have bugs and security flaws because minor flaws where cyber attacks could wreak havoc are harder to find.
Personally, I have a hard time grasping the idea of perfection in software. I do not believe anything man-made is perfect, nor will it ever be. I think software inherently contains an infinite amount of vulnerabilities. It’s just a matter of how far a hacker must go to expose those vulnerabilities.
Aliens Do Exist, But Zero Bug States Do Not
I can thank my years as a software tester for solidifying this belief. Ask most testers and they will agree that all software has an infinite amount of bugs, whether known or not. Bugs may require an extraordinarily high amount of conditions as an edge case, and they may not be important enough to fix, but I argue that they are bugs nonetheless. Therefore, there is no such thing as a zero bug state.
What about cyber security flaws as they pertain to bugs? Shouldn’t a vulnerability be considered a type of bug? This is where I tend to get some backlash from software engineers. The definition of a bug, or even a vulnerability, tends to twist the argument of a zero bug state, or a zero vulnerability state for that matter, into a game of semantics.
If a bug is not important to the developers, or if it will not affect the end user negatively, is it a bug? If a vulnerability exists but is never discovered, is it still a vulnerability? If a tree falls in the middle of the woods, and no one is around to hear it, does it make a sound? Do aliens exist?
I believe the answer to all these questions is yes. But I don’t believe there are aliens living amongst us.
My point is that you would be wise to consider that there are software conditions unbeknownst to us that could cause a state that is perceived as negative. Or hackers could find a critical cybersecurity flaw, even if by injection, brute force, or phish attack. The cyber threats are endless.
Faster App Deployment Means More Bugs
Another reason that software will never be completely secure is that over the past decade more and more companies have adopted Agile methodologies. This iterative approach to software development has been both a godsend and a curse. Agile allows businesses to make software "good enough" to deploy to end users, but it also leaves vast amount of the software untested.
It may be that the application only needs to be tested to be good enough for the user to get some task done. And that's fine, but developers should be more cognizant of cyber threats within their software. That may take some time and some cultural changes in the tech industry, but it is necessary to make it harder for hackers to take advantage of software security flaws.
Wannacry, Petya, and Cyber Warfare
Even if you were to patch every known vulnerbility in your infrastructure, you would still be at a loss because hackers, the national security agency, and even nation states like North Korea and Russia, are continuously analyzing new ways to infiltrate software and systems.
This may not concern you depending on your industry or the service you provide. It may not concern you on a personal level. But as we have seen, it's just a matter of time until cyber criminals, whether they be lone wolves or hacker groups, have access to hacking tools nation state actors are peddling away in secret vaults. Time and time again, someone always leaks the goods.
In either case, you may get caught in the crossfire. Consider the latest attack with NotPetya and how businesses that had very little to do with Ukraine were affected. I don't know about you, but I would like to assume I don't know what is going on behind closed doors. Take a look at today's seizure of black market sites on the dark web taken down by the FBI. Some are saying they found these hidden servers by using a backdoor that is not publicly available or known to hackers. The FBI is of course staying silent.
Patch and Test Continuously
When it comes to vulnerabilities in any critical infrastructure, the wise always patch their systems and applications regularly to protect from newly discovered vulnerabilities. Not doing so is exactly why we see so many data breaches and malware attacks today. Most malware attacks, and I mean 99.9%, are coded to infiltrate via known vulnerabilities. It could be malware, phishing, ransomware, etc.
However, it is equally unwise to believe that you know everything, and that is why we must continue to test, test, test! Penetration testing especially is your best friend when it comes to cyber security. Who know? Maybe you will discover some new malicious software that is as potent as the stuxnet virus, laying dormant, until it attacks the next power grid.
No matter how long you’ve been working as a systems engineer or a software developer, there are still flaws and vulnerabilities waiting to be discovered. That doesn’t mean they don’t exist.