Unpatchable is Unusable

I read an interesting article pn Computerworld.com titled “Worm may create an Internet of Harmful Things.”  It discusses how, as our world becomes filled with Internet-connected devices, concerns over security grow.  There is one quote from the article that stands out for me:  “Security expert Bruce Schneier…is concerned about the broader risks to the Internet of Things. In many cases, IoT connected systems are using firmware that can be hard to patch. In fact, ‘in many cases, [it’s] unpatchable,’ he said.”   Unpatchable.  

When it comes to software security, if it cannot be updated, it should not be used.

This reminds me of an interesting (perhaps unrealistic) software development methodology called “cleanroom engineering”.  With this approach the focus is on preventing bugs or vulnerabilities from ever making it into production code.  The SDLC is heavily weighted on all phases before actual coding begins, because (per this methodology) all you have to do is code to the design, since it should be defect free.

This approach to software development seems like an analogy for vendors who release products that cannot be updated.  There three reasonings that I can see for this.  The vendor

  • assumes its product is truly 100% secure, and no vulnerabilities will ever be discovered
  • hopes that significant security issues with its product will not be discovered within a reasonable (or obligatory) timeframe
  • does not offer patchable products, but offers to sell replacement products that address the security vulnerabilities found in “last year’s model.”

Replacing products used in production is costly and disruptive, and I can’t see the news of any unpatchable security vulnerability endearing a vendor to a customer.  In our rush to Internet-ize everything, security may take a back seat again, just like the early days of the Internet or smart phones.  As a result, weaknesses will be exposed that attackers the opportunity to do embarrassing, destructive or even dangerous things.

Vendors should operate under the assumption that something will not go according to plan.  At some point, a security vulnerability will be discovered in a product even if the vendor did not find it pre-release.  And when that vulnerability is found, the vendor should be able to fix (patch) that vulnerability ASAP.  Any other approach, such as selling software products that cannot be patched, is downright irresponsible.