Often developers are basically unable to solve the problems laid down at the design stage. For example, the SMTP protocol, which transmits mail between mail servers, was originally created without identity verification, so we are still being attacked by spammers and we receive phishing emails. Simply because anyone can send a letter by signing with any address, even the address of the president. Yes, there are attempts to protect themselves from this during implementation, but the problem was still at the root.
Of course, programmers themselves introduce vulnerabilities.
There are, perhaps, two main problems here: huge amounts of code and the reuse of someone else’s code. When releasing a software product, the code is usually tested to ensure that it works with standard input data. And it is almost never tested when the input data is specifically modified to carry out an attack. Professional companies are introducing secure code writing practices called SDLC, but they are not perfect either. For example, Microsoft has been practicing and promoting safe code writing for many years, but, nevertheless, it releases patches to newly discovered vulnerabilities every month. On average, our laboratory receives 80 reports of new vulnerabilities per day in products of various companies.
Reusing someone else’s code is used everywhere: no one writes ready-made algorithms and libraries from scratch. All programmers buy or take ready-made public libraries. Remember how badly the vulnerability in the OpenSSL library hit the world — after all, the whole world used it to control devices and to encrypt control channels and data transmission. And I had to urgently release patches and update. And updating network equipment and websites in working environments is not an easy undertaking. According to statistics, the vulnerability of Heartbleed was on 17% of public websites. And there are several dozens of such public and paid libraries in any product, for example, libraries for managing external devices, internal, for example, video cards, network adapters, etc. And periodically vulnerabilities are found in them. And if you look at the situation with the vulnerabilities of the Internet of Things — no one even changes the default passwords there. Vulnerabilities are not needed there at all — come in who you want, turn off and turn on all the devices that you want.
Today, containers are the scourge of information security in organizations. They allow you to deploy the applications needed by the business very quickly and efficiently, but you can already immediately consider any ready-made container vulnerable and in many companies urgently begin to use products to protect Docker, Kubernetes and their execution environments, for example OpenShift. And many recent hacks and leaks of personal data were caused precisely by the use of vulnerable containers.