Q&A: Mikko Hyppönen on building secure software
- select the contributor at the end of the page -
Why do you think we're seeing an increasing number of online security incidents? Is this a reflection of poor software security?
Mikko: I think the core reason why we're seeing more and more data breaches, and more and more attacks is that we just have more and more systems ... Everything is online and with the explosion of connected devices, this is only going to get worse. So I think attackers are better. I think there are more attackers-but more importantly, there are much more targets, and for many of the systems that get breached, security isn't the selling point. Security is an afterthought ... and this is going to be especially problematic in the future … there will be an even larger amount of targets, and this affects everything from home systems to enterprise systems, the fact that we have more targets means there will be more breaches.
So, the breaches may just be growing proportionately with the number of things that are there to be breached in the first place?
Mikko: That's right, and this isn't getting better, this is getting worse.
We still see a lot of the same risks being exploited. Things like SQL injection, cross-site scripting are up there in the top 10, for example. How are we not getting this right?
Mikko: It's a lack of resources and lack of skills … it's been quite obvious for a decade already that we have a shortage of top class security people all over the world and we don't seem to be able to solve that problem. It's surprising that universities don't seem to be able to meet the needs of the industry, and I'm not just speaking about security experts who work in the security industry-like every organization, every company needs people with security skills. All the developers who write customer-facing code or Internet-facing code should know how to get things like SQL injection solved, but we still keep running into these problems, so I guess it is an awareness issue and a resource issue.
For people building systems, what things do you think they should understand about security? What would be the key things for builders?
Mikko: Well, they have to be able to justify that their bosses and their managers need to put time and effort into security, even though it might not be the main goal of the product or the main goal of the service. Now we all know how bad it is when your organization gets hit and you end up on the headlines for losing customer data or getting badly hacked … it just has to be done and maybe it's, again, an awareness issue, but in many cases it seems to be that this is something that developers themselves should, you know, bring up to the attention of the management if management isn't getting it by themselves.
What is an impactful way for developers to bring that to leadership attention and make the case that they need to invest in security? How do they justify that?
Mikko: Well, it shouldn't be very hard to scare managers with horror stories about awful things that happen, because there are so many examples you could just pick from at any given week. However, I'd also like to point out that there is quite a misconception about how getting badly hacked equals your company folding or going bankrupt or things like that, it's actually not true … I'm not saying that these aren't bad cases, they are and you end up in headlines and you might have big monetary losses, but companies seem to be recovering surprisingly well … but coming back to my main point, there are plenty of horror stories and examples to bring the point home, but we shouldn't exaggerate that if we don't get security right the company is going to go bankrupt, most likely it won't.
For people involved in building systems, what are the practical things they can do with limited funds that help to protect against the risks of eavesdropping or oversight?
Mikko: The key point is encrypting data in transit and keeping data at rest encrypted as well, but especially for privacy purposes … Quoting Edward Snowden, encryption works. That's why I'm so happy to see how over the last two years HTTPS has become much more commonplace for everyday sites and services that we all use. I can't wait for Web browsers to stop supporting HTTP and only speak HTTPS. It's not a cure all obviously, but it really does help.
You've looked at a lot of malware over the years. I'm curious about the people making these products; are they software professionals or are they just out there to scam money?
Mikko: There's all varieties. We see the biggest amount of online criminals coming from countries which are, in one way or another, developing countries … and I suppose the reason why we see more online crime from those countries than we should, based on global statistics, is that these are areas where there are lots of people with skills, but without the opportunities and, you know, you've got to eat ... Of the people who do get caught, we do see all kinds, we see quite a bit of self taught programmers who've never had any official training at all and they've just started programming as kids and ended up in this line of job. At the other end we see university trained programmers, and we actually see some online criminal operations, which are very professionally run ... like any other company, except these guys are criminals.
What do you think we can start teaching kids about online security?
Mikko: One thing that I think we aren't doing well enough when we train children about online use is to be very clear about how it's not just wrong to do online attacks or be involved with malware writing or online crime in any way, but it's also illegal, just as illegal as doing real-world crime. And if these are said very clearly to children when they are still young it makes you wonder why aren't we doing them, it should be very, very clear.