CTO challenges software security status quo
A former U.S. Department of Homeland Security researcher argues that software is fundamentally broken from a security perspective. So, where does the industry go from here?
A former U.S. Department of Homeland Security R&D manager now works at a private sector company, but he remains committed to rethinking established practices in software security and cyberdefense.
In fact, in Kevin E. Greene's view, there's no such thing as secure software. In a public LinkedIn post in April, Greene argued that software is too fundamentally broken to be truly secure. Instead, Greene advocates for a departure from established practices to refocus on what he calls software resiliency, in which organizations take a proactive approach to hunting and disrupting ongoing threats.
"[T]here are too many things broken with modern software that are foundational in creating a healthier software world," Greene wrote in the post. "... [I]t is not clear if policy makers ... fully understand how broken modern software is."
In this episode of IT Ops Query Season 2: The State of SecOps, Greene -- now public sector CTO at OpenText Cybersecurity, working with the vendor's government clients -- challenges the notion that established software security guidelines such as the secure software development lifecycle achieve their intended outcomes.
"I don't think there's such a thing as secure software," Greene told TechTarget Editorial's Beth Pariseau during the episode. "I don't think it's attainable because all software has vulnerabilities, or they have CWEs [Mitre Common Weakness Enumerations] that are waiting to be exploited."
Kevin E. GreenePublic sector CTO, OpenText Cybersecurity
So, what role does security operations play in software resiliency? According to Greene, SecOps, developers and IT security teams should all understand their organization's software assets and associated vulnerabilities to proactively anticipate what attackers will target. SecOps teams can shore up software resiliency by applying relevant patches to vulnerable software components and adding layers of defense for systems that can't be patched.
Greene acknowledged that patching is a longtime sore spot for SecOps, even though it's considered a basic element of cybersecurity hygiene. That's where, for him, there are promising use cases for artificial intelligence, but Greene still emphasizes that the most important element in moving on from established approaches is a fresh mindset.
"People resist change, and that becomes our Achilles' heel," Greene said. "That human ... aspect does breed some complacency and forces us to be reactive."
Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.