Software Overkill and the Software Arms Race

Rob CrossThis past year I leased a new car, and it has all of the gadgets, sensors, widgets, "whatchamacallits" and "doohickeys" you see on the commercials. I'm certain this thing has millions of lines of code piping through it at light speed when I turn the ignition ... WAIT! I just forgot ... I don't turn a key anymore, I now push a button. When I shift the car into drive ... WAIT! I just forgot ... I don't shift anymore, I now push a button. In fact, while it’s moving, this vehicle is monitoring everything from the outside temperature, to my seating posture, to a 360-degree picture of where it is in relation to other cars on the road and the road itself. I'm amazed at the advances in vehicle technology in the past five years and a bit frightful of the ones coming in the next five years.

I recently watched the 60 Minutes expose on self-driving cars, where they interviewed the heads of automotive self-driving car development from Mercedes-Benz and Google. You can watch it here. (By the way, how does an internet search company get into self-driving cars? I'll save that for another time.) The car they were driving … oops, I mean the car that was driving them … has traveled 20,000 miles without an accident. That's impressive. Sure, there are some shortcomings with the car. The technology can't handle snow. Google's cars can't operate in heavy rain. The Mercedes S500 can't decipher hand gestures from traffic cops or pedestrians. These problems were all claimed to be solvable over time.

The Driverless Car Arms Race      

UBER, Google, Audi, Tesla, Mercedes-Benz and others are investing in technology to move as fast as possible towards a driverless model. I remember as a kid being envious of George Jetson's capsule car but never thought autopilot in vehicles would come true in my lifetime. What's the rush? Well, these companies claim that having a driverless society would make the roads safer, and I believe them, but that would mean adoption would have to be 100 percent. The most unpredictable element on the road today is the human, and we are trying to engineer them (us) out of the equation.

What's to Come?

If you know how to write software or how to be a part of the software development ecosystem, then you should be gainfully employed in Detroit or in other high-tech companies looking to move in this direction for the rest of your life. Most of the innovation to accomplish this will have to be in software.

You know what's coming next, right? Government regulation. Which, by the way, I'm a fan of in this case in order to hopefully hold these companies accountable for meeting software safety standards that other industries have to comply with, like aviation. What's the difference between a jet plane on autopilot and your car being on autopilot, and why shouldn't the two be held to the same standards?

Respect the Human

I get it. Cars driving themselves are safer. This would allow us to do more productive things with our life, such as bury our heads further in our smartphones to catch up on Facebook or play a vicious game of Candy Crush.

Personally, driving a car is an emotional experience. You are in control of your freedom knowing that you can drive almost anywhere.

Software Quality and Security

Did you really think I would write all of this without mentioning the importance of software quality and security? I don't believe traditional car manufacturers understand the investment it will take to ensure the quality and security of software going into these vehicles. They have to evolve, from their operations to their culture. I openly admit companies like Tesla, Google and even Apple (if they decide to build the "iCar") have an advantage because they see the car as a software platform that you plug hardware into. Unfortunately, others view it the other way around and will have a hard time getting out of their own way.    

In the meantime, I have turned off my lane departure warning and forward collision warning sensors because of too many false-positives. My passengers think perhaps it's my aggressive driving. They might be correct, but at least it's still my decision if I want to exceed the speed limit, beat another car off the line at a stop light or get to my destination 15 minutes early. That's right! It's my freedom of expression through driving! So get your “vroom vroom” on while you still can, before the autobots take over the roads and your garage.  


Rob Cross
PSC, Vice President

Written by Rob Cross at 05:00
Categories :

Morning Commute Gone Wrong

Hacking into your carWaking up and dragging yourself out of bed on a Monday morning is hard enough. Imagine, on the long, road-rage-inducing ride to work, your car is suddenly taken over by a remote hacker and you lose control. Your brakes stop working, your car starts turning, and maybe you even lose control of your radio – now Miley Cyrus is playing (yikes!).

Your frustrating ride to work has just become nearly catastrophic, and it all comes down to a lack of software protection in your car’s "soft" wiring. Recently, Chrysler has found that their cars are vulnerable to these types of attacks, stemming from a wireless service that connects the cars to Sprint’s cellular network. According to an article released by CNN, the risk for vehicle hack attacks was discovered in 2013, but exponentially increased with the introduction of wireless connectivity that is now standard in every new car. At first, the hacker can access your air conditioner, radio, and navigation system. However, once inside, they have a terrifying amount of access to your car’s ability to drive – your brakes, steering wheel, and gas pedal are all at the hacker’s control.

Now, I can assume between your fearful breathing and paranoid research of your car’s ability to fight these hackers, you’re thinking, “How could this have happened?” The answer is simple. When companies release their own software, they often do not use the proper amount of caution when analyzing the code for flaws. What companies like Chrysler are quickly realizing is that when their products become part of the connected network, they also become a target. Just like your computer, phone, TV, alarm system, and everything else in your life that is connected.  

Cyber security is complex and has many layers. Protecting products like connected vehicles is no easy task, but it’s one that is absolutely necessary, considering the industry’s accelerated movement towards self-driving cars and the injection of more technology into your vehicle ... yikes! Application security is one of those important layers in a holistic cyber security strategy, and PSC’s customers are able to avoid such incidents from originating within the application layer by leveraging our industry-leading software security forensics.

Before you go out and buy a '69 Camaro or old Chevy Impala, realize that companies like Chrysler are very aware of such vulnerabilities and are working with their supply chain to ensure new processes and policies are in place to protect their customers in the new connected automobile world. Keep on the lookout for upcoming announcements of Chrysler’s proactive movement in this area [wink ... wink].

 

Rob Cross
PSC Vice President

Written by Rob Cross at 05:00
Categories :

A Hard Look in the Mirror - [the Independent Auditor’s Paradox]

MirrorI am a big believer in setting goals, both short-term and long-term. This provides a structured strategy and defines the low-level tactics required to meet objectives. Once these goals are established, I have laser focus and, at times, have blinders on. This focus and drive has been primarily a blessing, but sometimes I lose perspective. 

Our business, proServices, has been an independent “auditor” of software for over a decade, and we are a DCG partner. I have always recognized how uncomfortable this process makes our customers feel because, for the first time, we are providing transparency into the software risks across their organization, so what was once hidden is no longer. This can be very intimidating and make some folks feel exposed and compromised.

The Auditor Becomes the Audited

I had a similar experience recently, when our company was audited. During our initial meeting with our auditors something felt different, but I couldn’t put my finger on it. It was almost a surreal experience. First there was a risk assessment, with the auditor asking all types of questions about our documentation and process, etc. Then the auditor asked if we could package up the artifacts under audit cleanly and if we had control of them for completeness and accuracy. They then explained their audit process and the concepts of transparency. 

ScoobyIt wasn’t until the day after our initial meeting when it hit me. Quoting Shaggy from Scooby-Doo, “Zoinks!” I just had the experience my customers have when they first meet with us! It may not sound like a very profound moment but it was. We at proServices have been “heads down” with laser focus for a long time, trying to change the software world from art to engineering, but I never had the opportunity to sit on the other side of the table as the audited, not the auditor. 

Finding the Humor

As I watched the auditors pour through our artifacts, I found myself saying, “I’m glad I don’t have to do that; it looks so boring and tedious!” If I had a nickel for every time one of our customers made that same comment to us, I would be retired. It also made me laugh because at the end of the meeting, the auditor explained how by going through this revealing process my business would be better off – and I couldn’t disagree with her because I’m in the same business! Oh, the moral dilemma!

Practicing What You Preach

Everyone has a job to do and we all believe that job is in some way going to make the world we live in a better place. Auditors are people too and although the process we are going through is uncomfortable, it’s necessary. In the end, it will help move us forward by learning from any mistakes uncovered or by confirming that we’re doing everything correctly. 

I’m learning a lot sitting on the other side of the table, including humility. However, looking back over the past decade I have no regrets. We have treated our customers fairly and worked hard to communicate that we are there to help, not destroy or embarrass. I believe we have been successful in this by the amount of repeat business our customers give us, which is a tremendous vote of confidence. 

What I respect most about auditors is their objectivity in not being emotionally tied to the data or results. They only seek to understand the truth, no matter how good or ugly it is. Lastly, I very much respect their disposition, having walked more than a mile in their shoes. I know that as an auditor you’re, at times, the least favorite person in the room, and it’s tough to build relationships if the other parties are afraid to embrace the truth and put aside egos and politics to do what’s right.

So, there you have it. Now that I’ve been on both sides of the table, I feel like I have a better understanding of our customers. Of course, for me, it also solidified the value of an audit. If your company would benefit from a software audit, I’m happy to help – I’ve been there too.   


Rob Cross
PSC Vice President, DCG Sales

 

 

 

                          

Written by Rob Cross at 05:00

Everything You Need to Know About Cyber Security You Can Learn From Your Plumber

Cash Is KingIs it me or do the headlines regarding compromised Point of Sale (POS) systems keep increasing in frequency? Let’s not kid ourselves, there have been some pretty big breaches …Target, Home Depot, Apple iCloud, and as of today, Jimmie John’s. To cyber attackers retail is the new banking sector!   

One of my best friends, Don, is a plumber and also a Captain in the Newark, New Jersey Fire Department. This guy works harder than anyone I know, and he’s probably one of the brightest guys I know. I always tease him that he should write a book called “Everything You Need to Know in Life You Can Learn from Your Plumber.” 

Interestingly, his solutions are always equated to how he would approach a technical problem from a plumber’s standpoint. 

FLY ON THE WALL

A conversation with Don:

RC: “Did you hear about Home Depot getting breached by a cyber attack?”

Don: “I don’t understand what’s so difficult. Let me tell you what we do in plumbing. When a home owner doesn’t like what’s coming through the pipes, like the way the water looks or tastes, we test the water. Based on the water test results, we can put on layers of water treatment solutions to eliminate the threats, and then we can offer periodic testing. In fact, there are systems now that can do real-time monitoring of water quality and alert us when there is a change.” 

RC: “First it was Target, and now it’s Jimmie John’s … who’s next?”

Don: “In plumbing, water finds the path of least resistance, even the tiniest of holes in a pipe or structure will, over time, be found and exploited. Next thing you know, the hole gets bigger and things get ruined. There is always constant isometric pressure of water inside your home or business, and if it’s not contained properly, it will run amuck. This cyber problem sounds no different to me than what I deal with daily.” 

RC: “It’s scary stuff and every time I pull out my credit card to pay for something at a store, I think twice now.”

Don: “Rob, that’s why cash is king. Let those cyber idiots try to interfere with that transaction. If I don’t have the cash, guess what? I don’t buy it. Cards are for convenience, at the cost of security and trust, and it’s obvious to me that stores aren’t smarter than the bad guys, so why should I entrust them with access to my identity, which could lead to my money. The hackers always win.”   

Don: “I don’t understand why everyone doesn’t use PSC’s software security service. No plumber is allowed to self-inspect his or her own work. There are companies out there building pretty cool and important stuff with software, and I don’t understand why they trust themselves more than your company to offer an outside opinion. I don’t get it.”

RC: “It’s not an easy answer. Companies do what they feel is right, and oftentimes, that decision is tied to how it impacts revenue or competitiveness in the marketplace. Our customers realize the software security and quality battle is about data and not what technologies are used to identify the issues. Once they make this shift, it begins cascading through the culture of their company to be driven by data instead of opinions. I’m sure in your business there are homeowners who install their own under-the-sink filtration systems and then never check their water again or don’t change their filters regularly. They feel safe because they have purchased the “tool” that is supposed to catch the harmful things. Essentially, they are making their water potentially worse for their family. There will always be someone out there that you will never convince that you can do a better job and approach their water problem from a different perspective and provide better tasting water beyond their imagination. To them you’re just the plumber that only fixes pipes and not water quality problems. It’s no different in my business.”     

Don: “Hm … but my customers aren’t building things that could potentially kill someone, cause the market to crash or cause damage to their brand in the market. You won’t find me shopping at Home Depot anymore.” 

Don makes a valid point, right? This, of course, is why I have been urging him to write a book – believe me, his brilliance doesn’t stop at the current state of cyber security in retail. 

THE FUTURE

I don’t know if Apply Pay will save the day or Bitcoin or Zerocash. What I do know is that companies need to put aside more of their budgets to address cyber security on an ongoing basis. An unbiased opinion can provide valuable information that could make or break the future of your brand and the loyalty of your customers.

 

Rob Cross
PSC Vice President, DCG Sales

Written by Rob Cross at 05:00

The Untouchables: “It’s Not Who’s Right, But What’s Right.”

Golden Rules for “Code-Red” Project Leadership

UntouchablesMy first job out of college was as part of an eleven-person, high performance, elite group of professionals, who had a mission to change the culture of a nationwide 16,000 member organization.  This mission was no small task, as it involved being extremely disruptive and routinely challenging the status-quo-thinking of members in order to help them realize their full potential and view reality from a different perspective.

We named our group “The Untouchables” because our motto was, “It’s not who’s right, but what’s right,” and because we all liked the premise of the movie (pictured above). We all took our job very seriously and because of this, we not only changed ourselves, but helped this organization start a cultural shift that fundamentally shattered the “old” way of doing things, starting a movement of change across an industry. 

I believe that there are times in our professional careers when we are presented with an opportunity to do what’s right and shatter the existing paradigm of status quo. This opportunity can lead to either tremendous success or spectacular failure, but I have personally found that it has yielded only success for my customers.

The Right Type of Leadership

I’m Vice President of PSC, an independent software analysis/risk analytics company. As such, I’ve witnessed numerous chances for my clients to change the status quo. Many of these moments come at the cost of spectacular failure (otherwise known as “Code-Red” events).  These are critical moments for project teams, coupled with very high emotions and an intense need for leadership. 

In these times of turmoil, the best leadership asks the right questions:

  • Where are the risks?
  • How severe are they?
  • In what order of priority should they be addressed?
  • How quickly can they be fixed? 
  • What process failed, allowing these risks to cause this event? 
  • What is the reality versus what we thought regarding our process? 
  • How do we prevent this from happening again?

This type of leadership is focused on “what’s right,” and all of these projects end up going from “red” to “green” in very little time because the tone and focus is driven by data, not opinions or emotions. 

However, there are other leaders who tend to focus on “who’s right,” asking questions like:

  • Who is responsible for these risks? 
  • What group owns this functionality? 
  • Whose responsibility was it to look at the data from the tools? 
  • Who wasn’t following our process?

Most of the projects under these types of leaders fix the most acute issues but continue in their death spiral of pointing the finger and playing the blame game, hemorrhaging their top talent and executives from the company. It’s a tragedy to watch, but an unfortunate reality if the leadership is focused on the wrong side of the equation. 

An Illustration

Here’s an example. I once worked on a big program that was highly visible in a large organization. The program was late and over budget, and the end customer at the highest level was becoming angry and threatening to penalize the company due to lack of performance. More importantly, the program had passed the point of no return, and cancelling the project would have been financially devastating for the customer.

BoxersThe customer called us in to help with suspicion that most of the problems were coming from software provided by its supply chain. It hired us to assess a narrow set of software that was particular to one supplier and, unbeknownst to us, the company did not inform the supplier of our activity. Don’t worry all of you lawyers out there, our customer had data rights to the software! Well, wouldn’t you know, the software was a target-rich piece of code, fraught with errors.

The most uncomfortable moment came when we were invited to a boardroom with the top brass of our customer and the supplier to present the results. We didn’t make it through the first 20 minutes of presenting the results of our findings when we were asked to leave (tempers were flaring between the company and the supplier). The meeting soon adjourned and the supplier’s executives stormed out of the boardroom and building. 

Here’s the great news: shortly after the meeting I received a phone call from one of the supplier’s top executives, who was in attendance at our earlier explosive meeting. A couple of hours later we were in his office, hired to help the company get its house in order and focus on “what’s right.” Less than four months later, the software we initially analyzed as the cause of most of the issues was now deemed the most reliable in the entire program, surpassing software both from other suppliers and our original customer.             

Did our customer demonstrate leadership focused on “who’s right” or “what’s right?” You know the answer. Our original customer ended up losing, as well as changing, a lot of its top talent and executives because it continued to spin after our work was completed. A changing of the guard became necessary to recover its reputation. The new batch of executives placed blame on the old and hit the reset button, only to follow the same path as their predecessors. The program survived and was eventually delivered – exceeding all schedules and busting budgets.   

The Moral of the Story    

So, it’s time for the moral of the story. Our original customer had an opportunity – that brief moment in time where it could have shifted its focus to “what’s right,” not only for its entire supply chain, but also for its own operations. But, it chose not to. I have found in volatile situations, be it personal or professional, that if I focus on what’s right, the results benefit everyone. Unfortunately, this road is less traveled because often the right choice is not the popular choice; but, in the end – and with time - others will see your actions and decisions as “untouchable” leadership.      

What kind of leader are you?


Rob Cross
PSC Vice President

Written by Rob Cross at 05:00

"It's frustrating that there are so many failed software projects when I know from personal experience that it's possible to do so much better - and we can help." 
- Mike Harris, DCG Owner

Subscribe to Our Newsletter
Join over 30,000 other subscribers. Subscribe to our newsletter today!