I ran across an interesting open letter. Most of these are from individuals, often complaining or lamenting on the way something in the world works, or maybe doesn’t work.
This latest letter was from the Chief InfoSec Officer at JPMorganChase, a large worldwide bank. This open letter was written to the software suppliers looking to do business with JPMorganChase, especially those in the SaaS area (Software as a Service). The letter opens by noting that SaaS is enabling cyber attackers and asks for three things: prioritize security over features, modernize security architecture, and work with security collaboratively to prevent abuse of connected systems.
It’s a good letter. It talks about the problems at a high level, but is specific enough to recognize problems. Software is often delivered as a SaaS type application, even when there might be local components. For example, I lament Postman working this way, as it now seems to now require me to be connected in order to work. That’s something I learned while trying to get work done on an airplane, and I couldn’t get to any of my queries as I didn’t have wi-fi, despite the application running locally on my laptop.
The threat of more attackers is amplified by the connectedness of new systems, new agents, and new protocols that allow a breach to escalate deeply inside systems. This is something we’ve faced in the past, but not at the scale that we face it today. Automation has become embedded in the computing world, not just inside organizations, but also inside hacking organizations. Malicious actors can and do use scripted attacks at a rate that we haven’t experienced in the past.
I wish that most people purchasing software would prioritize security when making a decision, but often price and expediency outweigh anything else. While I do see many companies asking for security information, too often the requests are at high levels, and vendors can word their answers in a way to satisfy the screen without actually improving their own security coding and architecture.
I do think the authorization and authentication of users is improving, so I have hope that more patterns and frameworks are published and widely used, and we’ll see more consistent security throughout software. Now, if we can just ensure the authors of those platforms do a good job of security, we might see the request from JPMorganChase come true.
Steve Jones
Listen to the podcast at Libsyn, Spotify, or iTunes.
Note, podcasts are only available for a limited time online.
Voice of the DBA 
Steve – The gentleman at JP Is %10 right but his request will never be met and that’s b/c New features, services and products ring in $$ where as enhanced security , actual enhanced security and not just the sales people saying it’s enhanced, doesn’t. This guy at JP seems to have it as a priority bit most do not else the software vendors would try and do more with security. The vendor is always going to chase the best chances at the most $$. Just as corporate executives no longer care what impact on society or their surroundings their decisions have for the business, so to is there a lack of care about better security.
The SaaS type application is also about more $ and consistent income. Instead of trying to sell a client this years version of software X, with a SaaS type application there in a service contract and so regardless of version they will be paying every month or annually.
lastly there is the issue of control and access. All the big boys want as much access to everything as is possible so their not going to give users better security at the cost of loosing that access even if that access means greater risk for users. Not all vendors are like this but enough are. These guys want ads access, data mining access and especially access to train their latest innovation, the general LLM aka AI. Few if any in that industry still care about end user security.
I’m a dev guy and not an IT guy but I do talk with my IT coworkers a lot and they have shared some pretty incredibly dumb stories with me, dumb decisions made by Microsoft with regards to security. They say t’s b/c too many decisions get made by marketing and sales and not by the right departments and I can believe that.
Between not enough major users insisting on better security and the large tech firms not want to give up the access they have now I don’t see us ever properly dealing with security even after a major cyber attack by a state actor. I know it sounds a bit of a dark take but its not like as if we’ve only had a few years of security issues to decide to do something about it. The IOT push demonstrated just how little any cared about security.
LikeLike
agreed. I do think security keeps getting better, but it’s not at the level it would be if we prioritized things.
LikeLike