In June 2017, a cyberattack known as notPetya corrupted the Ukrainian tax accounting software Medoc and used it to infect victim machines with destructive malware, which spread rapidly and incapacitated numerous global companies, including Maersk—causing billions of dollars in damage. Cybersecurity professionals believed the attack would serve as a wake-up call about the risks of vulnerable software. And yet more than a half-decade later, the global community continues to see security weaknesses in software being exploited by threat actors to gain access to customers’ networks and data. In July 2025, a previously unknown (“zero day”) software flaw in Microsoft SharePoint was reportedly exploited to compromise a number of U.S. federal and state agencies, universities, and energy companies. Multiple forms of best-practice guidance have been released in recent years in an effort to combat these attacks. The issue is whether they have been applied effectively. A lack of threat-informed design can skew prioritization and lead to a false sense of security. Likewise, best-practice adoption in name only (i.e., pro forma), legacy code complexity, and product-by-product variance can complicate the mapping of theory to practice.
A ‘Window Sticker’ for Software (Adam Isles – Lawfare)
Related articles
