We are often told that “Security by Design” is the key to preventing, or at least mitigating, cybersecurity attacks, but experts say there are still too many openings for the hackers, and for mistakes to be made by software users.
IT Europa attended Cyber Security Week in The Hague this week, and its centrepiece ONE Conference, and as part of that we wanted to gauge the success or otherwise of software development in the security space.
Bibi van den Berg is a professor of cybersecurity governance at Leiden University, and the head of the cybersecurity governance research group at the Institute of Security and Global Affairs at the university.
She told ONE Conference delegates: “Security by Design is often talked about, but often too many features in software lead to too many security risks.
“Anti-featurisation is key here. But the methodology of researching products and updates is usually done by very technical people who are highly skilled, but get very excited by new features that many normal, average users don’t need.”
By increasing the attack surface with redundant features in software, developers were failing, she said. She also pointed to a widening move to software platforms as dangerous too.
“With platforms, you have a single point of failure, and with ever more integrations you also cause potential problems.”
Where possible, she said, apps should instead be used. “Apps are islands, with detached functions and few features. Using many apps means that data is spread around instead of being in one place.”
She called for guardrails in software development, which is probably more urgent than ever with the advent of agentic AI, with many of those systems commonly supported by big platforms.
She said such guardrails should address the five security factors of design, defence, attack, use, and recovery. She praised the recently published National Cyber Security Research Agenda IV, Holland’s “science for a resilient digital ecosystem”, she said.
Soufian El Yadmani, founder and CEO of security research and consulting firm Modat, outlined to press the threats in two different industry areas.
Modat recently published research about flaws in access management systems (AMS) used in buildings, and weak security in the health industry.
For buildings, Modat found 50,000 flawed AMS worldwide, affecting verticals such as government, the oil industry, education, healthcare and manufacturing.
El Yadmani said: “We immediately initiated the process of reaching out to the affected, in order to assist them in fixing these security breaches. These systems should never be exposed to the internet in the first place, and we advise owners update and patch these systems, and avoid using default passwords.”
In healthcare, Modat discovered 1.2m exposed healthcare devices worldwide, with countless individual records accessible across different applications.
Over 70 different systems were affected, including MRI, CT, X-rays, DICOM viewers, blood test systems and hospital management systems.
There were multiple reasons for vulnerable devices, including misconfigurations and insecure management settings, default or weak passwords, and unpatched vulnerabilities in firmware or software.
“We reached out to affected organisations in order to assist them in fixing these security breaches through organisations like Z-CERT and Health-ISAC.
“Organisations have to make regular security assessments and maintain comprehensive asset inventories, as personnel changes and operational modifications can introduce configuration drift and security gaps.
“Continuous monitoring of network-connected devices is essential to identify potential exposures, misconfigurations, or emerging vulnerabilities. By doing that, healthcare facilities can significantly reduce their cybersecurity risk profile,” said El Yadmani.
He added that open source software was often at the centre of flaws in both sectors covered by the research. “Open source systems are cheaper than proprietary software, and are easier to use. But users must use strong credentials, not standard ones.
“You can of course put your own security on top of open source systems, but many organisations don’t.”
He also warned about software features that allow organisations to track and locate all the other endpoints/devices or workspace/system locations on the network. Many sites don’t even use such features bundled into software, but they are useful for attackers to spread their attacks. If it’s not needed, turn device and location tracking off.
As for AI, there is no more critical area around AI software than the battlefield.
We spoke to military AI expert and international law researcher Dr Jonathan Kwik, from the Asser Institute, whose latest book on battlefield AI is studied at West Point in the US, among other key military institutions.
He said: “The Terminator thing gets the attention and interest, but we’re not really talking about that here. The AI systems for decision support on the battlefield are what’s relevant now.
“Is a house in Gaza being targeted empty of combatants or not, for instance. The reality of war systems being used is that they have to be simple and quick to use, as in the field they are usually operated by normal guys, not technology experts.
“They don’t have much time in the field to target and potentially attack very large numbers of locations.”
He added: “This is about international law, and state rules of engagement, but who really controls what happens every day in the battlefield. There can’t necessarily be an investigation every single time something goes wrong in a war.”
Kwik said it’s not known whether the Israeli Defence Forces are using a commercial AI system in Gaza, or a specially developed one, as it’s all secret. But the danger of any AI system “hallucinating” and giving the wrong answers was potentially just as prevalent in a war, as it was anywhere else, he said.
“There is also the danger of what I call “boot-licking”, an AI system could be prone to delivering a “positive” instruction to a weapons operator, if they are constantly looking for targets to destroy, as it comes to believe they want to,” Kwik said.
