Finding the Source
But how did all the software bugs get there? For starters, even the best developers in the world write software that contains bugs. There is no such thing as "unbreakable." Security vendors themselves have problems. The Witty Worm, which recently wreaked havoc with Internet Security Systems' BlackICE firewall, is an example.
But developers have a history of building software that doesn't take security into account at all, or does so only as an afterthought. It's not easy to change coding practices, and secure software is more expensive and slower to develop than stuff that's churned out and thrown over the fence.
Also consider that most programmers aren't trained to build secure software. Educators must start teaching secure coding practices in all facets of their computer science curricula. Application and Web developers must understand when to choose languages that include strong safety and protect their programs from buffer overflows and race conditions. They must learn to follow the principle of least privilege--use only the access they need and no more. A program with administrator access should run in "administrator mode" only when it's essential.
Software packagers must obey this rule as well. Who hasn't installed an application that needlessly required root or administrator access, or that was loose with default file permissions? Developers must know when to let go of risky lower-level languages, such as C and C++. Software architects must build security into their designs. And researchers must develop new languages and methodologies that eliminate common programming errors.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
