Attackers recently used a zero-day vulnerability in Internet Explorer 8 to target employees at U.S. government agencies, prompting discussion about the challenges of keeping large organizations that are slow to make changes secure. Given the difficulty of ensuring organizations make necessary updates, programmers should work to strengthen software security as much as possible in the development process.
Attackers were likely drawn to targeting the government agencies because they knew that many departments continue to use outdated versions of Windows and IE, according to CSO. Given the cost and complexity of managing updates in such large organizations, many remain slow to implement changes or install new software. In some cases, adopting new software would create system-wide complications.
“There’s a lot of government agencies, and commercial entities as well, that simply cannot upgrade to these latest versions,” Eddie Mitchell, a security researcher for Invincea, told CSO. “They have internal applications, HR (human resource) applications, payroll applications and such that were designed explicitly to work with Internet Explorer 8, which is why these organizations are still vulnerable.”
While developers may assume that they can address software security with future updates or releases, the reality is that many organizations continue to run outdated software. As a result, security should be a focus from the outset of any development process. Using tools such as static analysis software, programmers can catch errors before they are released, minimizing the likelihood of zero-day vulnerabilities being targeted years down the line.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.