{"id":14997,"date":"2014-08-22T18:06:30","date_gmt":"2014-08-22T18:06:30","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2425"},"modified":"2019-11-15T23:08:15","modified_gmt":"2019-11-15T12:08:15","slug":"can-we-beat-software-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/can-we-beat-software-vulnerabilities\/14997\/","title":{"rendered":"Can we beat software vulnerabilities?"},"content":{"rendered":"<p>Here is another rhetorical question in cybersecurity. Is it possible to beat something that has been around for as long as software itself?<\/p>\n<p>In computer security overall, a \u201cvulnerability\u201d is a weakness that allows an attacker to reduce a system\u2019s information assurance; an intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. Regarding software, the \u201cbug\u201d is a fault causing it to produce an incorrect or unexpected result, or to behave in unintended (for its developers and users) ways. In other words, a vulnerable software may usually work okay, but when it is approached in a \u201cdifferent manner\u201d (i.e. with malicious intent and appropriate tools), <em>things may happen<\/em>. And they actually do.<\/p>\n<p style=\"text-align: center\">\n<\/p><p>\u00a0<\/p>\n<p>If not for bugs, spreading viruses, Trojans, unsanctioned backdoors and growing botnets would be much more difficult. So it\u2019s appropriate to say that the bugs are the foundation of information security problems. Or, at least one of them. Because besides vulnerability in software, there\u2019s always \u201ca human factor\u201d and a possibility to use <a>social engineering<\/a> to infiltrate even the most secure system.<\/p>\n<p>In an \u201cideal world\u201d of bugless software, the information security industry would look very differently and most likely would be\u00a0much slimmer than it is today. Actually, it\u2019s a classic dilemma: had there been no war, no need for an army; had there been no crime, no police would be needed. Had there be no diseases, there would be no doctors. But there are wars, crimes and diseases, and so there are men-at-arms, police, and doctors. And all of them also make mistakes and sometimes commit crimes. <\/p><blockquote class=\"twitter-pullquote\"><p>Can we beat software #vulnerabilities? #security #notgonnahappen<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F3Cgy&amp;text=Can+we+beat+software+%23vulnerabilities%3F+%23security+%23notgonnahappen\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Software vulnerabilities are mostly comparable to diseases, or even more accurately, to dispositions to diseases (and so security experts are like doctors). In a living organism such dispositions are determined genetically in some cases, caused by birth trauma and\/or unhealthy environment in the others.<\/p>\n<p>What causes the software flaws? As a rule vulnerabilities are the results of development mistakes, insufficient quality assurance and\/or outright wrong approach to coding \u2013 when the software is written without security in mind from the day one. Later there could be stacks of patches, making the original package swell twice per its original size, and still there are more and more bugs discovered. Simply because the software is \u201cgenetically\u201d vulnerable.<\/p>\n<p>There are some religious sects those object to medical care proclaiming the diseases to be the punishment from above. It would be interesting to look at their \u201ccounterparts\u201d in cyberworld; however unlikely they existence may appear, this would make a nice cyberpunk plot twist.<\/p>\n<p>So, can we bust all the bugs completely?<\/p>\n<p style=\"text-align: center\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2017\/05\/06020319\/wide-2.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2440\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2017\/05\/06020319\/wide-2.jpg\" alt=\"wide-2\" width=\"1000\" height=\"646\"><\/a><\/p>\n<p>\u00a0<\/p>\n<p>Yes, sure, just as soon as the ancient proverb \u201cerrare humanum est\u201d is null and void in relation to Mankind. How soon is it going to happen?<\/p>\n<p>Actually, there\u2019s always a temptation to put a blame on developers \u2013 i.e. code-writers for the bugs. From time to time you may hear \u201cdemands\u201d to hold developers accountable for mistakes they have failed to fix before the software has gone on sale. But software vulnerabilities are rather an organizational problem that has little to do with the coders\u2019 qualification. Besides, some bugs may stay \u201cbelow the radar\u201d for years, as shown by #heartbleed, \u201cStuxnet flaw\u201d and many others. Neither developers, nor end-users knew anything about them until these vulnerabilities had been discovered \u2013 either by security experts, or criminals. So who\u2019s to blame is tempting but irrelevant question, after all. Let\u2019s say, there\u2019s just too little we can do to beat software bugs completely, this is plain and simple impossible. <\/p><blockquote class=\"twitter-pullquote\"><p>Some #bugs can stay undetected for years. #security<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F3Cgy&amp;text=Some+%23bugs+can+stay+undetected+for+years.+%23security\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>However, \u201csecurity-in-mind\u201d paradigm, good quality assurance and responsible handling of newly discovered flaws can mend problems dramatically, decreasing the systems\u2019 susceptibility to malware and other attempts to use it in a malicious manner. By \u201cresponsible handling\u201d we understand simply the adequate response to bug reports and quick release of the patches. Today most of the software developers have bug tracking and bug reporting instruments in place. Without them things would be much, much worse. This is just like prophylactics of cold, flu and other diseases that can help us stay healthy even if there\u2019s bad weather, and we have to use crowded city transport, where it is especially easy to catch a cold or some other air-communicable malady.<\/p>\n<p>And businesses and end-users have to deploy security solutions, because, yes, there are software vulnerabilities being exploited by the attackers and malware, and unfortunately they are here to stay for a long time.<\/p>\n<p>What are the requirements for an efficient corporate security solution to deal with vulnerabilities? First, it should be able to detect vulnerable programs and suggest updates or even perform an update automatically. Of course, this has to be done automatically for all endpoints. It is especially important on enterprise levels when IT departments have to deal with hundreds (if not thousands) of endpoints with a wide range of software installed.<\/p>\n<p>Second, the security solution has to detect and block malicious attacks utilizing vulnerabilities, including \u201czero-days\u201d \u2013 security holes that have not been patched yet. In Kaspersky Lab this is achieved using a number of solution, including an intelligent Automatic Exploit Prevention system looking for unusual and potentially harmful activity from regular applications and blocking it.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Can we beat software vulnerabilities? It is not possible to do so completely, but there are ways to mend the issue.<\/p>\n","protected":false},"author":209,"featured_media":15926,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,2994],"tags":[282,118,2158],"class_list":{"0":"post-14997","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cybersecurity","10":"tag-software","11":"tag-software-vulnerabilities"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/can-we-beat-software-vulnerabilities\/14997\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/can-we-beat-software-vulnerabilities\/14997\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/can-we-beat-software-vulnerabilities\/14997\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/cybersecurity\/","name":"Cybersecurity"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/14997","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=14997"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/14997\/revisions"}],"predecessor-version":[{"id":25017,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/14997\/revisions\/25017"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/15926"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=14997"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=14997"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=14997"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}