Security is a vital topic when it comes to talking about software, and while there’s no silver bullet solution that will address all your security concerns, there is something to be said for the benefits that bespoke software can bring. As I say, there’s no magic solution. Security needs a holistic approach. You should be thinking about security risks, management of those risks and your options for mitigating those risks. In this blog, I wanted to focus on the risks around software bugs, and the hosting and infrastructure risks.
Both bespoke and Commercial Off The Shelf (COTS) software will typically use 3rd party components and libraries. Any of these could have vulnerabilities within them. There’s no difference there. Someone needs to track those vulnerabilities and plan for fixes. This happens with both bespoke and COTS. The benefit of COTS is that someone else is doing that for you. That’s great because you don’t have to think about it but actually, you’re beholden to the vendor for any fixes or workarounds, and the timing of when you’ll have that deployed. With bespoke software, yes, you’re going to have to track vulnerabilities in those components (or have a high-quality vendor with multiple decade’s track record of supporting bespoke software do that for you…hint, hint!) but you have complete control over when fixes or workarounds are applied and when they are rolled out. You can fast-track them if they represent a high risk to your business, or you can bundle them into a quarterly release if they are low risk. Whatever is going to work for your situation. It might be that there isn’t a fix and a replacement if said component is the best solution. Yes, you’re going to have to pay for that work, but you can make it happen. You’re not waiting for the COTS vendor to decide what to do.
The hosting risks very much depend upon the nature of the software. If the COTS software is delivered as SaaS, as a large amount of software is these days, you’ve got no control over managing hosting/infrastructure risks. You are completely reliant on the vendor having a capable security team to manage and mitigate those risks. If the COTS software is self-hosted, then the responsibility is on you to manage security of the infrastructure. Alongside that, you are constrained by the hosting requirements of the software: what platform and versions required by that software. This might be a limitation that stops you from upgraded to supported platforms that continue to receive security fixes from the platform vendor.
By comparison, with bespoke software you can define your hosting requirements during the non-functional requirements stage of analysis and project scoping. Even with older, more legacy bespoke software, you can still make the decisions about when upgrades need to happen to manage your security risk. You can decide to migrate to cloud hosting, as an example, and then you’re building on top of platforms that have significant security investment and compliance certification.
Another aspect of managing your security risk that you should think about is penetration testing (pen testing) I would encourage you to include this in your maintenance budget for any system that is critical to your operation. Commissioning a pen test gives you that independent view of the vulnerabilities that might exist within your software. In the pen test report, you’ll get a list of vulnerabilities and their associated risk to your security. With bespoke software you can then decide what to do next. Which issues will you address, which will you mitigate, and which will you accept as low risk. The situation with COTS software, however, isn’t quite as clear-cut. Is it within the terms of service that you can even perform such a test? What will happen with the outcomes? Will the vendor fix them? You’re left in an uncertain situation should your tests find something significant.
I’m going to summarise by pointing out the obvious: Security is really important! The software that you use is a significant part of that. When working with COTS software, you are mostly reliant on the vendor to identify and address risks. Lots of vendors put a lot of work into that, so you’re not having to resource that expertise yourself, but there is often a lack of visibility and assumptions have to be made. With bespoke software, you are in control over how to proceed. You can work to the level of risk that is acceptable to your organisation, but that is entirely your choice, not someone else’s.