Security by Design: Can We Break the Vulnerability Management Cycle?

Vulnerability management is a pressing issue in cybersecurity and a growing burden on overworked security teams.

A range of strategies have been discussed to make the patch management cycle more sustainable, ensuring the most severe and potentially damaging flaws are mitigated before they are exploited by threat actors.

It is an area that requires constant attention – for example, every second Tuesday of the month tech giant Microsoft rolls out a fresh batch of patches across its applications in an event known as ‘patch Tuesday.’

Unsurprisingly, many of these critical vulnerabilities are exploited before a patch is put in place.

US government cybersecurity agency CISA maintains the Known Exploited Vulnerabilities Catalog, an authoritative list of vulnerabilities exploited in the wild, to help defenders keep pace with threat activity.

A reminder of the problem came when Apple announced emergency patches for three zero day vulnerabilities believed to have been exploited in the wild in iOS devices.

With growing demand for software products, the scale of vulnerabilities that need to be managed is only going to increase.

An ambitious UK government-backed project is working on significantly addressing the never-ending patch management loop, by developing technology that prevents the majority of vulnerabilities occurring in the first place.

The Digital Security by Design (DSbD) initiative was launched in 2019 and is based on the hardware concepts of the Capability Hardware Enhanced RISC Instructions (CHERI) project.

Cheris is a collaboration between semiconductor and software design company Arm and University of Cambridge researchers that dates back to 2014.

The key initial focus of DSbD was research and development, with academia and industry invited to experiment on the ‘Morello board’, a system on chip (SoC) and demonstrator board developed by the CHERI team.

This process has helped refine the technology, to the stage where it can strengthen the security of underlying computer hardware, heavily reducing the burden on security teams and developers.

This includes enabling computer programs to be built out of self-contained secure compartments, meaning only a limited area of code and/or data can be accessed by any one attack, and allowing the application of spatial memory safety to existing software, written in languages such as C, to mitigate attacks such as buffer overflow.

Speaking to Infosecurity Europe about the progress of DSbD, John Goodacre, Challenge Director at Digital Security by Design, UK Research and Innovation (UKRI), and Professor of Computer Architectures at the University of Manchester, explained that the CHERI architecture, once implemented, will prevent the vast number of vulnerabilities relating to memory safety and privilege escalation.

The impact of this would be seismic, with Microsoft and Google previously reporting that 70% of bugs in its products are memory-related problems.

“If we can wipe out 70% plus vulnerabilities on open systems and reduce the number of vulnerabilities on CISA’s Known Exploited Vulnerabilities Catalog list from over 1000 to 200-300, then that’s manageable and sustainable,” said Goodacre.

There have been some exciting announcements relating to DSbD in recent months, following the period of testing and refinement of the CHERI architecture.

In October 2023, Codasip, processor technology company, announced the first commercial implementation of CHERI, making the technology available in its products.

This will allow customers to take preventive security measures without having to wait for their vendors’ delivered patches.

This announcement represents a major breakthrough in the programme – that the technology has been made commercially viable for the first time.

This is against the backdrop of what Goodacre describes as a fundamental “market failure” in cybersecurity – that the current computer hardware upon which software products are built is outdated, traced back to designs developed during the 1940s and 1950s.

Goodacre believes Codasip’s work has been customer driven by increased understanding and desire for products to be secured by design. 

This has in turn been pushed along by growing government pressure to embed secure by design principles into digital technology. An example is the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act, which places obligations on smart device manufacturers to secure their products before going to market.

Additionally, the US government’s National Cybersecurity Strategy published in 2023 aims to place much greater cybersecurity responsibilities on software developers.

The CHERI architecture was also cited by CISA in its list of illustrative roadmap of secure by design best practices.

Goodacre highlighted a number of other “secondary effects” from the development of the CHERI architecture, with the technology being used as a test target to improve the quality of existing software.

An example of this is the Sunburst project, which will see two types of development boards featuring capability-enhanced processors based on the CHERIoT technology, with the goal of getting this technology into the hands of engineers.

While DSbD has taken significant strides in its effort to secure underlying computer hardware, it still has a long way to go.

Goodacre said the main barrier remains financial – ensuring organisations see a return on investment for the financial cost of replacing their underlying digital architecture, such as processors, compilers etc.

“That’s where we are focusing the program – trying to ensure awareness of the benefits of the change so it’s viewed as worthwhile,” commented Goodacre.

This requires the broader cybersecurity industry to move away from its current mindset of being an “operational expense,” whereby organisations pay for their systems to be protected.

Instead, Goodacre wants cybersecurity to be considered a risk that needs to be managed, building a connection between operations and capital expenditure.

“We want businesses to be thinking, is that vendor giving me something that’s secure by default, and how are they demonstrating to me that it’s secure by default,” added Goodacre.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?