Why software vulnerabilities exist

If A = B and B = C, then A = C

This is known as the transitive property of equality and dates back to early Greek mathematics. In part, it helps answer the question as to why so many security flaws exist in software.

People write software 

People are flawed

Software is flawed

This has been true as far back as when the first software code was written. However, in the early days, systems were closed off from outside contact, so the risks of malicious access were low. Even in the 1990s, most business computing environments were Local Area Networks, or LANs. Other than risks potentially injected via infected floppy disks, while there were ample security holes in software, there were limited ways an outsider could exploit them.

Enter the internet. All of a sudden, every LAN on the planet is now interconnected, ranging from your local non-profit agency to the Department of Defense. Security controls, including firewalls, could be put in place to limit access, but those tools are simply more software running security processes, meaning there’s that much more of an opportunity for vulnerabilities to exist, sometimes in the security tools themselves.

Enter organized crime. Bank Robber Willie Sutton, when asked why he robbed banks, said “that’s where the money is”. Modern organized crime realized the money is now in data – they can steal sensitive information and extort the holder save they release it, sell the data to others, or encrypt the data and extort the holder to gain access to it again via ransomware. All are proving highly lucrative to those with the desire to make their stake on the misfortune of others.

Some of the vulnerabilities exploited by these malicious actors have existed for years and the software developers just hadn’t gotten around to patching it yet. The average business uses oodles of flawed software, and the older the version, the more holes likely exist. 

It’s a dangerous world, and even if everything under your control is done right, there is always the possibility of falling victim to a Zero-day event. Therefore, to have a fighting chance, it’s critical to address what’s under your control. Leverage strong password practices. Upgrade software to the latest versions which are supported by the manufacturers, and leverage an advanced update management solution to keep that software updated. Run advanced detection tools like Managed Detection and Response to look for the ways malicious actors often seek to gain access to data via common vulnerabilities. Most importantly, develop a Security Mindset so we can all Keep Calm and Compute On.