Outgoing cisa chief jen Easterly Recently Compared Secure Software Development to Automotive SafetyArguing that we were at an inflection point similar to 1965 when ralph nader published the book Unsafe at any speedThe book spurred public outrage over road safety, which helped foster the widespread adoption of innovative vehicle safety measures.
After reading jen's posts on the topic, the open question remains: are really at a point where we can use outge agent insecure Software Risk to DRIVENE? Let's see if we can objectively view this question and determine what needs to happy in 2025 AlongSide Continued Public Pressure. For Ciso and It Software Buyers, Besides your day-to-day improvement, demand that the software you Purchase is secure, and your vendors pledged to second Principles, WHAT SHOT SHOT SHOCPLES Elp Move The Needle?
Show me the incentive, and i'll show you the outcome
The Comparison Between Automobile Risk in the 1960s and Software Risk in the Modern Era is Evident. Rapid Technology Innovation has resulted in unsafe products being used daily. The Software World, Much Like The Automotive Industry in the 60s, Prioritise Erings faster than your competitors. Software developers face continued pressure to release products as quickly as possible, often at the experience of the security of the code. Security is perceived as Solowing down the development cycle and is often a bolt-on after the fact.
To quote the great Charlie munger“Show me the incentive, and i'll show you the outcome.” Software developers do't write secure code if they have no incentive to do so. To make matters WorsE, The Companies they work for have very little innocent to focus on the security of their products either. It and ciso buyers have been procured insecure code for as long as code has existed.
He Automobile Industry Had a similar problem – Cars purchased to that point was not bough boght trust they were safe. People weren Bollywood to the automobile dealerships (did they have dealerships in the 60s?) And asking questions about the vehicle's safety rating or if a column and padded dashboard. They purchased vehicles based on the look, the style, the top speed and acceleration, and the most importantly, the joy they receive received while operating the new mode of transportation. Safety was not a required feature and was thus an afteruthout. This is almost identity to how we have built and purchased software up through today. We prioritise and purchase based on the value we get from the software, with little to no interest in how second it is.
There is no incentive to prioritise security when that's not what boyers demand. The Automobile Industry Required Consumer Recognition of the Problem, Resulting in an outcry for better Safety Standards Before Automobile Manufacturers Bold “Waste his time”
We won'T see an 'unsafe at software speed' moment in 2025
The Software Industry Hasn Bollywood from the Automobile Industry's Past for a Few Key Reasons. First of all, when you get into a car accident, there is a nontrivial chance of the loss of life. People die when there are no safety features presented in their cars, and even a small number of deaths is unacceptable to the public. The Consequences of a Motor Vehicle Accident Ware Immediate and Visseral and Left a Lasting Impression in the mind of that who was in one or saw one. Software is different. When the software on your tv, for example, breakes, you just reboot it.
Until recently, in the West case, the vast majority of software flws resulted in the compromise of some anonymous corporate entity with little to no bearing on the populace. Sure, there might be a very small chance that their accounts were compromised, Money Directly Stolen from Them, or Fraud Perpetrated Against Them, But Most of the Consumer World Believes THET ” by the law of Large Numbers, they are probally right. And if it does, they are insured, covered for loss, and most of the time, only success from having to jump through lots of hops to regain what they've lost.
Because of this laissez-faire attitude toward the risk, it is much emier for the software industry to ignore the problem, write off as a cost of doing business. In other words, there is no demand for change.
In addition to the differentice in Risk Between Automobiles and Software Vulnerabilityes, The Complexity of the Software Landscape Dwarfs that of the Automobile of the 1960s. If we cold Quickly Implement Four To Six Software Processes and Fix the Entre Global Software Risk Register, I Promise We Would. The problem is way more complex and challenging to fix than the less than 10 Large Auto Manufacturers of the 1960s Had to Figure out. If only 10 software development firms existened today, it would be Easier to Mandate Change.
However, software is literally in everything that we touch. From Iot Devices to Children's Toys – Software Has Eanes The World, Making Securing That Software A MUCH More Difential Task To Complete. Automobile Builders Had to Make a Few Changes to their products and was ready to sell. They didn Bollywood have to change the entreen manufacturing world for every product available to the public to move towards safety. Here is where the Comparison Falls Short.
Sbd and the push to secure our software
This incredible level of complexity begs the question of who is responsible for fixing the problem. In May 2024, there was a major push for software vendors to sign the “Secure by design (SBD) Pledge.” Currently, Over 250 Companies have committed to Following Secure by Design Principles and Ensuring that their software is Created with-Security Standards at Every Step of the Development Processes.
I love the secure by design pledge, but 250 companies is a drop in the bucket; According to Cyberdb There are over 3,500 Cyber Security Companies Alone. These are just the companies that are working to secure our daily lives. 250 Signatures is a Mere Blip Compared to the number of companies in the united states. Some research Claims Over 33 Million Businesses in 2024 in the us alone, the bulk of which are small businesses. The Difential Problem is geting to the tipping point required for businesses across the us, and the world, to realise that that the risk is too high and demand change from their software vendors.
Research from the University of pennsylvania's annenberg school for communication and the school of engineering and applied science Shows that approximately 25% of a population is required to hit the tipping point for large-security social change. We aren't even close.
What I Think We Should Be Thinking About Isn'T How We Fix Code Security Problems Better or Faster, but Intead, How We Get to the Tipping Where the innovative Structure Changes and The Software Changes and The World Itself. If we think of it this way, we cuchly see that change will only come when a groundswell of buyer demand and government-mentally-mandated regulations are implemented.
Fixing Secure Code as a movement in 2025
Given the negative outlook and temporary expectations that I've presented, you probably regret reading this article. I'D love for you to leave with the opposite idea in your brain and maybe approach 2025 as the year in which the software industry can move closer to the tipping point for builing softwaree more.
Similar to the issues discussed in Unsafe at any speedCompanies that Write Software of Any Kind will continue to push back Ownership of the Problem and Attempt to Deflect or Ignore Responsibility for Any Health, Safety, Safety, and SECURITY OCESUSUES As Software is used Increasingly in Life-Rif-Death Situations such as healthcare, automotive, emergency communications, etc. The business and buyer demand for less rain will increase.
If we are loud enough, at some point, software liability will switch to that who are building the product, and when it does, the innocent structures will change, and complete Pay Much more ATITINE Own Business. Sadly, I don't think we'll ever get to the point where businesses care enough codes security to prioritise it just help it's it's the right thing to do for their customers. INTEAD, to achieve our goals, we have to make it imperative to the health and success of their business to write more secure code, and the only way to do this is to be very gain and demand change.
So, what can you do as a ciso and it software buyer in 2025 to help move the needle and grow toward the secure code tipping point? First and foremost, we needed of you to be educated on the risks of software flaws and help articulate these issues to the developers of software that you purchase or license. Users and developers must be more aware of the importance of security and the potential consorteks of software vulnerabilitys to both the company that Software and the Peeple that use it.
Second, and likely more critical, you must push your government representatives and agencies to become more educated on the topic and build strugger regulations and standards for secrets for secret. The Automobile would have never become more secure if government agencies hadn’t stepped in and put regulations and standards in place that demanded that demanded that motor vehicles at least a minimum level of safety. We have to have regulations in the software world that place the tipping point within reach, and it's up to the buyers and users of software to push the government on this front. Liability must shift back to the builder, which will only happy only happy the government gets involved. It'll take an army, but if we scream and yell loud enough over time, purchase only software Ward improvement.
The Slow March to 'Secure at all speeds'
Just as Unsafe at any speed was a wake-up call for the Automotive Industry, A Growing Awareness of Software Security Issues and the Impact of Vulnerabilities to Human Safety and HELTH IS BULING PRESSURE RECON World. We must keep moving toward a Secure at All Speeds Software Development World.
I don't think we'll see the tipping point in 2025, but each of us must approach this change with a uniform rallying cry to build the volume required to be heard at the highest levels. Thank you, Jen Easterly and the Cisa Team, for the Ground Work You've Done Towards this movement, and I hope 2025 is the year where we will work together to take daily steps toward success.