It is common knowledge that hackers or cyber criminals will attack the weakest link in the security ecosystem. They will compromise a widely used open source application, inject malware onto a public-facing server, poison a downstream supply chain update with malicious code, social engineer an un-cyber-hygienic employee, or do anything else imaginable to gain access to sensitive systems and data. Stakeholders of every category are always recommended to work together to minimize the threat landscape exploitable by digital enemies.
Information security risks in Malaysia are shaped generally by regulation and oversight and other important policies, procedures, guidelines and rules. The software development sector remains relatively unregulated. Not only in Malaysia but elsewhere in the world. But its impact on every organisation and nearly every aspect of our daily lives is unmistakable.
There is virtually limited or almost zero development in security software in Malaysia. Majority of the security software used, almost all, are procured/sourced from overseas. Thus, any actions or calls by organisations to vendors of security software to consider and incorporate security a priority in their software development are likely to fall on deaf ears.
So how do our country and our organisations persuade these security software developers to institutionalise security in their software development?
We are proposing that with immediate effect, organisations should hold software vendors accountable for cybersecurity incidents. Currently, when liability is attributed, it is almost always placed onto the organisation because of language incorporated into the service level agreements by legal teams intent on shielding software developers from taking responsibility for the integrity of their products.
Large organisations can leverage their significant buying power to demand secure practices from their vendors. Developers who are unwilling or unable to demonstrate that their products are secure to acceptable standards, by providing documentation on their development process or by providing an artefact verifying that they tested their software for vulnerabilities, will lose market share to more reliable vendors.
Institutionalising security must become a priority amongst all the organisations in Malaysia. Hackers depend on exploitable vulnerabilities in software applications to gain a foothold in the network, to escalate privileges, to laterally compromise systems, to avoid detection, and to exfiltrate data. If software developers incorporated layered security throughout the development lifecycle of their products, then malicious adversaries would have fewer vulnerabilities to exploit, organisations would waste less of their budget paying for system remediation and patching, and software vendors could focus more of their resources on innovating and developing higher quality products that better secure and meet the needs of their clients.