Consumer Software Security Assessment: Should We Follow NHTSA's Lead?

Vehicles are required to meet basic safety standards. Having similar requirements for software would give consumers greater control over their privacy and security.

Richard Caralli, Senior Cybersecurity Advisory, Axio

November 15, 2023

5 Min Read
Magnifying glass hovering over code
Source: ronstik via Alamy Stock Photo

The US National Highway Traffic Safety Administration (NHTSA) is dedicated to its mission: "to save lives, prevent injuries, and reduce economic costs due to road traffic crashes, through education, research, safety standards, and enforcement." Is it time to create a similar organization dedicated to consumer software security? The mission would be quite similar: to ensure software meets basic security and safety standards and is easy for consumers to understand, implement, and sustain.

Today, cars must meet a basic safety standard before they are cleared for sale to the public, but software does not. How can we make it easier for every American to protect themselves and their data from digital crimes?

Meeting Basic Safety and Security Needs

Uber's Android app has more than 10 million lines of code (at launch it had only about 10,000), nearly as many as the typical smartphone operating system, which comes in at around 12 million lines of code. On smartphones, there are thousands of settings available. Many affect security and privacy and are configurable by end users, which is important to most users. Unfortunately, many software and device users don't realize that they need to consider each of those configurations carefully. Not only because the wrong configuration could expose them to potential attackers but also to protect them from legitimate attempts to use their data in ways that may expose it more than they realize.

Few software and devices protect users from exposing themselves to attack or overly permissive data access by default, making consumers an easy mark for malicious actors. To increase software security, safety features must be in place by default, but users must also use those features for them to be effective.

Creating Safety Ratings

One issue with consumer software security is that the software and device manufacturers do not warn people of the danger of using them with the default configuration. There are many rating agencies that tell customers their vehicles' safety profile. The NHTSA provides vehicle safety ratings so that consumers can choose the safest vehicles and learn about recalls easily. There's also the Insurance Institute for Highway Safety (IIHS), an independent nonprofit that conducts research and evaluation to educate consumers, policymakers, and safety professionals. Consumers can use information from these organizations to balance the functionality they want with critical safety features. This allows consumers to make a conscious choice about functionality and safety when choosing a vehicle.

Understandably, it's a daunting task for software developers to perform exhaustive software testing to identify and fix all possible bugs before release. It's a tedious, complex, and error-prone process. Even so, the White House has urged enhancement of the software supply chain in section 4 of the Executive Order on Improving the Nation's Cybersecurity. While it's challenging (and maybe impossible) to release bug-free software, warning customers that they should review and modify the default settings is not difficult.

This warning should come with every software app and device. Ideally, it should be more accessible than a long, difficult-to-parse terms and conditions page or a small, poorly translated piece of paper in the device box. It must be easy to read and understand at a glance, rather than requiring a magnifying glass, familiarity with legalese, and a lot of patience.

In addition to warning consumers that using an application's default configuration can be risky, we could evolve to a rating system that allows consumers to know that what they are buying is inherently risky, so they can knowingly make the same trade-offs they do when selecting a vehicle. For example, a rating system might consider:

  • The ways a particular operating system or application has been attacked in the past.

  • The number of security patches required over time to make the application more secure.

  • The security features in the application, such as encryption, authentication, and authorization.

  • The organization's privacy practices, including how it collects and uses user data.

This might steer a user away from a product — or at least heighten their awareness of its security profile over time. For example, some Internet browsers are well known to be inherently riskier than others. What if they came with a security rating upfront? Users could rely on that rating to decide whether they are willing to make a functionality vs. security trade-off.

The Consumer's Role in Software Security

With so much software in users' hands all day, every day, it's imperative for them to initiate their own security and privacy review of the software and devices they use. Most users focus only on configuring the features and applications that are important to them. While some are important usability features, users must also realize that there's a lot more involved. The applications they use interact with operating system settings, which can cause the application to put them at higher risk.

Our role as security educators and software providers must be to urge users to review all default settings on new out-of-the-box software and devices and make changes as appropriate. Unfortunately, this is far from an easy task for most users.

Currently, there are guides available to help users navigate through configuring the most important settings, which gives them the option to decide on the balance between functionality and security and privacy. For example, Consumer Reports published its "Guide to Digital Security and Privacy" to help consumers stay safe online, control online tracking, and protect phones and laptops from attackers. While these guides are helpful, far too few users read and take advantage of them. A simple safety rating system that aligns with broader cybersecurity policies of the current administration could ensure that consumers understand the basics of how to keep themselves — and their software and devices — safe and secure.

About the Author(s)

Richard Caralli

Senior Cybersecurity Advisory, Axio, Richard Caralli

Richard Caralli is a senior cybersecurity advisor at Axio with significant executive-level experience in developing and leading cybersecurity and information technology organizations in academia, government, and industry. Caralli has 17 years of leadership experience in internal audit, cybersecurity, and IT in the natural gas industry, retiring in 2020 as the Senior Director –Cybersecurity at EQT/Equitrans. Previously, Caralli was the Technical Director of the Risk and Resilience program at Carnegie Mellon's Software Engineering Institute CERT Program, where he was the lead researcher and author of the CERT Resilience Management Model (CERT-RMM), providing a foundation for the Department of Energy’s Cybersecurity Capability Maturity Model (C2M2) and the emerging Cybersecurity Maturity Model Certification (CMMC). During his 15-year tenure at Carnegie Mellon, Caralli was also involved in creating educational and internship programs for Master's degree and continuing education students at the Heinz College.

Photo source: Dorota Szymczyk via Alamy Stock Photo

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights