Comment Re:Why commercial software security will always su (Score 1) 81
Commercial software has three competing groups of profit-seekers: the vendor, the corporate user, and hackers.
- * Vendors of commercial software (that is not explicitly designed to be secure) is provided by vendors with just good enough security. Security could be a total facade but it appears to be secure and thus selected by businesses.
- * Vendors of software explicitly designed to be secure will have a much better chance of resisting hackers as their reputation is a major factor in profiting. However, they are still profit-seekers so there are limits to their own security.
- * Hackers specialize in different pieces of software and the fewer vulnerabilities, the longer specialization requires. When a hacker (group) specializes in a pieces of commercial software and exploits a vulnerability then then response vendor response is a patch that is just good enough to prevent it from happening in the same way. Vulnerabilities in the similar vein may be discovered in the process and patched but there is no grand effort to seek out all vulnerabilities that span any meaningful length of time.
- * For the corporate user, If too many security breaches occur due to a particular piece of software then that piece of software is not selected for and thus a new piece of software replaces it's function. The new software may or may not have superior security but by switching anyone specifically targeting you must specialize in a new piece of software which is done in the hope of increasing the cost/time for you to be attacked by the same actor.
- * If the commercial software is a dependency of other software then it can cause a locked-in effect where the (perceived) cost of moving to a new system exceeds to cost of further breaches. So even if commercial software is likely to be breached again, so long as the (perceived) cost of switching software exceeds that of another breach then the commercial software is determined to be just good enough and thus remains selected for.
The result is businesses will continue using a bad commercial software so long as it is perceived as just good enough. Before most commercial software was deeply tied to relying on remote servers, old versions of software remained just good enough, so long as no unsolvable problems were encountered. Remote servers are now used to function as an instant unsolvable problem and thus forcing a version upgrade which has added new added vulnerabilities.
Final note: Commercial software will ALWAYS fail when pitted against nation-state actors because the cost to a nation-state is largely irrelevant as the primary motive using the information gained from the breach. As such, the only way to resist nation-state actors is to use software and hardware that is designed expressly to be secure. That said, doing this merely shifts the focus/burden to the system/people that surrounds your software/hardware.
For something like a major insurance company, they should be assuming that they will be hit by nation-state actors and that they need to have a plan B, plan C, and probably a plan D for when it fails. It doesn't seem like they were prepared.