Risky Business: Comparing Automobile Safety to Code Vulnerabilities

Key Takeaways

Outgoing CISA chief Jen Easterly likens today’s software development risks to the automotive safety crisis of the 1960s.
Software security is often deprioritized due to a lack of consumer demand and complex market conditions, complicating the pathway to improvement.
The push for Secure by Design principles continues, but significant market and regulatory change is needed to ensure safe software development.

Comparing Software Development Risks to Automotive Safety

Outgoing CISA chief Jen Easterly recently drew a parallel between the current software development environment and the automotive industry of the 1960s. She suggested that just as Ralph Nader’s “Unsafe At Any Speed” provoked a consumer movement toward improved auto safety, a similar awakening may be necessary to address insecure software risks.

Easterly questions whether public outrage over software vulnerabilities can catalyze real change in the industry. Key stakeholders, including Chief Information Security Officers (CISOs) and IT software buyers, must urge for secure software purchases and advocate for vendors to adopt secure-by-design principles. However, significant focus is needed beyond mere transactional improvements.

The incentive structure within software development mirrors past automobile purchasing habits, where aesthetics and performance often eclipsed safety concerns. Therefore, software developers have little motivation to prioritize security unless the market demands it. Historically, consumers did not inquire about safety ratings when making car purchases, just as modern software buyers often overlook security standards for functionality and features.

As Easterly notes, the severity of automotive incidents, where lives may be lost, starkly contrasts with the relatively low-profile consequences of software flaws. Many users mistakenly believe they are insulated from cyber threats, contributing to a widespread apathy towards the issue. Consequently, software vulnerabilities are frequently sidelined as companies absorb them as a standard business risk.

The complexity of today’s software landscape adds another layer of challenge. Unlike the limited number of auto manufacturers in the 1960s, the current software field consists of thousands of companies, complicating efforts for widespread reform. Recent initiatives, such as the Secure by Design (SbD) pledge, highlight ongoing efforts to improve software security, with over 250 companies committed to these principles. However, this number pales in comparison to the overall market.

The urgency to shift the liability for software issues back to developers is crucial. A fundamental change in the incentive structure, similar to regulatory pressures faced by the automobile industry, is necessary for a cultural shift in software development.

In conclusion, as the software industry progresses towards 2025, heightened awareness and advocacy are essential for achieving better security standards. Stakeholders must educate themselves about software risks, demand stronger government regulations, and collectively push for change. Creating a unified effort towards greater accountability can lead towards a safer software ecosystem, much needed for a world increasingly reliant on technology.

The content above is a summary. For more details, see the source article.