It has been reported that Israeli security firm JSOF revealed today a collection of vulnerabilities it’s calling Ripple20, a total of 19 hackable bugs it has identified in code sold by a little known Ohio-based software company called Treck, a provider of software used in internet-of-things devices.
JSOF’s researchers found that one bug-ridden part of Treck’s code, built to handle the ubiquitous TCP-IP protocol that connects devices to networks and the internet, in the devices of more than 10 different manufacturers—from HP and Intel to Rockwell Automation, Caterpillar, and Schneider Electric—and likely dozens more, JSOF believes. The result, the researchers say, is the better part of a billion hackable devices in the wild that have likely been vulnerable for years, and will need to be patched to protect them from a broad array of attacks.
The Ripple20 disclosures are a graphic illustration of three truths in software development.
First, security must be integrated to every part of software development. From threat modeling during design to automated security testing during implementation, every phase of software development must involve security. Vulnerabilities that escape unnoticed represent serious risk. Finding and fixing more vulnerabilities during development translates directly to lower risk.
Second, organisations that create software must manage their third-party components. The main reason for the far-reaching effects of the Ripple20 vulnerabilities is that they are vulnerabilities in a network component used by many organizations in many products. Each software development organisation must understand the third-party components they are using to minimise the risk that they represent.
Finally, all software products must be able to update themselves. Using secure development practices and managing third-party components will result in fewer, less frequent updates. Nevertheless, something will always go wrong and updates will always be necessary. Systems and devices must be able to update themselves securely, and the manufacturer must make a commitment to maintaining the software for some clearly stated time period.