Buggy code, fragile legacy systems, ill-conceived projects cost US businesses $2 trillion in 2020

Software quality crisis made worse by developer shortage, report claims

Shoddy software cost the US an estimated $2.08tr in 2020, according to the Consortium for Information & Software Quality (CISQ). That's down slightly from a revised 2018 total of $2.1tr but still isn't anything to brag about.

In its 2020 report, The Cost of Poor Software Quality in the US, the Massachusetts-based standards group co-founded by the non-profit Object Management Group and Carnegie Mellon University's Software Engineering Institute (SEI), identifies three major cost sinkholes.

Unsuccessful IT initiatives and software projects are estimated to have cost $260bn in 2020, up from $177.5bn in 2018. Poor quality in legacy systems is said to have eaten up $520bn, down from $635bn in 2018. And operational software failures – bugs – took a toll of $1.56tr last year, significantly more than the $1.275tr flushed away in 2018.

"The losses due to operational failure in the US alone are staggering," said Dr. Bill Curtis, executive director of CISQ, in a statement. "It just takes one major outage or security breach to eliminate the value gained by speed to market. Disciplined software engineering matters when the potential losses are at this scale."

The consequences of poor quality software are evident in various examples cited in the report, such as the two serious software bugs that prevented Boeing's Starliner from docking with the International Space Station in December, 2019, and put the spacecraft at risk.

Boffins debunk study claiming certain languages (cough, C, PHP, JS...) lead to more buggy code than others


The incident resulted in Boeing taking a $410m charge in Q4 2019, which looks rather insignificant compared to the $2.5bn the company will pay to avoid fraud prosecution related to the deadly crashes of two Boeing 737 Max aircraft, also linked to bad software.

Why is the situation so grim? The report argues there's an IT talent shortage, a claim others have made as well.

"There are simply not enough good software developers around to create all the new and modified software that users need," the CISQ report says.

"Given the indirect as well as the direct contribution of software to the economic base of most industrialized countries, and considering the ways in which software can amplify the powers of the individual/teams/organizations, we cannot allow this situation to continue."

The report claims that just two percent of the worldwide population can code and that the need for developers is expected to grow by 24 per cent over the next seven years. And it notes that the US Bureau of Labor Statistics says US software developer jobs will increase at a rate of 22 per cent over the next decade.

To reduce the number of operational failures – the largest problem segment by far – the report calls for better software defect detection and remediation of identified vulnerabilities. It asks individual developers to take responsibility for prioritizing software quality and it urges organizations to promote a culture that supports software excellence.

"Producing quality products and systems makes good business sense, but what that means must be well-known in your organization," the report concludes. ®

Send us news

Cisco warns of security holes in its security appliances

Bugs potentially useful for rogue insiders, admin account hijackers

Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

Continue reading

RubyGems polishes security practices with multi-factor authentication push

Faced with rising software supply-chain attacks, package registries are locking things down

Slowly but surely, software package registries are adopting multi-factor authentication (MFA) to reduce the risk of hijacked accounts, a source of potential software supply chain attacks.

This week, RubyGems, the package registry serving the Ruby development community, said it has begun showing warnings through its command line tool to those maintainers of the hundred most popular RubyGems packages who have failed to adopt MFA.

"Account takeovers are the second most common attack on software supply chains," explained Betty Li, a member of the Ruby community and senior front end developer at Shopify, in a blog post. "The countermeasure against this type of attack is simple: enabling MFA. Doing so can prevent 99.9 percent of account takeover attacks."

Continue reading

1Password's Insights tool to help admins monitor users' security practices

Find the clown who chose 'password' as a password and make things right

1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

"We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

Continue reading

More than $100m in cryptocurrency stolen from blockchain biz

'A humbling and unfortunate reminder' that monsters lurk under bridges

Blockchain venture Harmony offers bridge services for transferring crypto coins across different blockchains, but something has gone badly wrong.

The Horizon Ethereum Bridge, one of the firm's ostensibly secure bridges, was compromised on Thursday, resulting in the loss of 85,867 ETH tokens optimistically worth more than $100 million, the organization said via Twitter.

"Our secure bridges offer cross-chain transfers with Ethereum, Binance and three other chains," the cryptocurrency entity explained on its website. Not so, it seems.

Continue reading

Travis CI exposes free-tier users' secrets – new claim

API can be manipulated to reveal tokens in clear text log data

Travis CI stands for "Continuous Integration" but might just as well represent "Consciously Insecure" if, as security researchers claim, the company's automation software exposes secrets by design.

Aqua Security Software on Monday said its researchers had reported a data disclosure vulnerability with the Travis CI API. The response they said they received is that everything is working as intended.

In a blog post security researchers Yakir Kadkoda, Ilay Goldman, Assaf Morag, and Ofek Itach said they had found tens of thousands of user tokens were accessible through the Travis CI API, which provides a way to fetch clear-text log files.

Continue reading

Mega's unbreakable encryption proves to be anything but

Boffins devise five attacks to expose private files

Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

Continue reading

Inverse Finance stung for $1.2 million via flash loan attack

Just cryptocurrency things

A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.

"Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."

And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."

Continue reading

Apple gets lawsuit over Meltdown and Spectre dismissed

Judge finds security is not a central feature of iDevices

A California District Court judge has dismissed a proposed class action complaint against Apple for allegedly selling iPhones and iPads containing Arm-based chips with known flaws.

The lawsuit was initially filed on January 8, 2018, six days after The Register revealed the Intel CPU architecture vulnerabilities that would later come to be known as Meltdown and Spectre and would affect Arm and AMD chips, among others, to varying degrees.

Amended in June, 2018 the complaint [PDF] charges that the Arm-based Apple processors in Cupertino's devices at the time suffered from a design defect that exposed sensitive data and that customers "paid more for their iDevices than they were worth because Apple knowingly omitted the defect."

Continue reading

Apple M1 chip contains hardware vulnerability that bypasses memory defense

MIT CSAIL boffins devise PACMAN attack to let existing exploits avoid pointer authentication

Apple's M1 chip has been found to contain a hardware vulnerability that can be abused to disable one of its defense mechanisms against memory corruption exploits, giving such attacks a greater chance of success.

MIT CSAIL computer scientists on Friday said they have identified a way to bypass the M1 chip's pointer authentication, a security mechanism that tries to prevent an attacker from modifying memory references without being detected.

In a paper titled "PACMAN: Attacking Arm Pointer Authentication with Speculative Execution," Joseph Ravichandran, ​​Weon Taek Na, Jay Lang, and Mengjia Yan describe how they were able to use speculative execution – the way in which modern processors perform calculations before they may or may not be needed, to accelerate execution – to discern the pointer authentication code that allows pointer modification on a protected system.

Continue reading

Microsoft fixes under-attack Windows zero-day Follina

Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

Continue reading