Can Software Manufacturers Prevent Ransomware Attacks?

Ransomware attacks still plague American businesses, including those in critical infrastructure sectors such as energy and health. Incident reporting requirements are a step forward, but can software manufacturers prevent ransomware attacks? According to Jack Cable, writing in the Harvard Business Review, the answer is yes.

Software is the only industry in which customers tolerate products that are unsafe even though fixes are readily available. Cable says businesses shouldn’t be shy about pressuring their software vendors to fix common vulnerabilities that lead to most attacks. They’ve known how to do so for decades, he says.

For example, SQL injection is a coding defect responsible for a very damaging series of ransomware attacks in 2023. The software industry has known how to prevent SQL injection at scale for decades. In fact, MySQL, one of the most common databases, introduced an approach to eliminate SQL injection vulnerabilities in 2004.

In response, the Biden administration’s National Cybersecurity Strategy calls for software manufacturers to accept their responsibility to produce secure products. CISA has begun issuing specific, actionable guidance that business leaders at software manufacturers should review and act on. Its SQL injection alert asks software executives to lead reviews of their code bases and eliminate all potentially unsafe functions to root out SQL injection at the source.

CISA has joined the Minimum Viable Secure Product working group, which provides a simple checklist that companies can use to judge whether a secure-by-design approach has been taken with software they are considering purchasing. Businesses should pressure vendors to eliminate whole classes of attacks. They can, for example, enforce multi-factor authentication by design, and establish memory-safe roadmaps to rooting out all the most common classes of software vulnerability.