Rd7

Please respond to the post below and ask questions if need be. this is for discussion?

 

 

 

 

 

Cybersecurity: It’s All About the Coders

In this talk the speaker sets the scene by talking about how technology impacts everyone and highlights how it has permeated nearly every facet of our lives. With that being said, he emphasizes how critical it is to have secure technology. Through the lens of the CIA triad, the speaker poses questions of: Who has access to my data? (Confidentiality.) Who can modify my data? (Integrity.) And do I have access to my data? (Availability.) These questions frame the context of his talk, and he reminds us that software is quickly changing and evolving while hardware moves at a much slower pace – and this is exemplified by the never-ending sea of software applications encountered in daily life that include Google, Facebook, banking applications, data analysis tools, and more.

In the context of software security, he proposes the example of leaked credit card numbers which can be mitigated by the bank issuing a new card which takes only a matter of days at most and only costs a few dollars. In contrast, medical data – once leaked – can never be un-leaked and the facts of your medical data are unchanging, unlike a credit card number. This example drives home the importance of software application security for the prevention of data loss.

Because we live in a software application-driven world, the power and responsibility in the hands of software developers are monumental. Yet, they learn little about baking security into their products and see it more as a specialization or an afterthought. The speaker passionately emphasizes that this must change and that security must be built in from the start. In my personal education, I have been taught this in theory – secure by design – but I have experienced little to no instruction on the specifics of how to do this or even completed labs and projects that provide practical experience in designing and writing code that is secure by design. Sure, I’ve learned a lot of methods for testing software’s security, but the application of this skill as a foundation for writing software has been sorely missing from my experience.

I agree with the speaker yet find his call to action lacking in the same way my education has been lacking. How EXACTLY should this be taught? How EXACTLY do you want software developers to meet this expectation? Theory is only good to a certain point, and what is missing is how to put that theory into practice.

The speaker posits that we need a change in how we create coders and says that they should be asking, what shouldn’t my software do? But I fail to see him providing any insight or information on the instruction or a framework for executing the request.

On April 13, 2023, several U.S. government agencies and international agencies announced in agreement that “Software manufacturers should put an end to default passwords, write in safer programming languages and establish vulnerability disclosure programs for reporting flaws” (https://www.washingtonpost.com/politics/2023/04/13/us-launches-secure-software-push-with-new-guidelines/Links to an external site.). Although not mandatory, this indicates a welcome shift towards built-in software security and security by design. This announcement communicates a goal to push software manufacturers to be accountable and responsible for releasing secure software, rather than leaving that to the users. This announcement comes as a push from The Five Eyes (U.S., Australia, Canada, U.K, and New Zealand) plus Germany and the Netherlands. The end goal is a more secure technological ecosystem that will benefit public and private sectors alike.