5 Trends in Software Security

2015 brought a number of high-profile security breaches, putting company and consumer information at risk. Ashley Madison, VTech, even the Department of Health and Human Services had their data compromised.

It could have been avoided.

You've heard this before, but companies like DCG, and my company, proServices, will continue to bring it up until security is taken more seriously. The first step is staying aware of the latest security threats in order to appropriately ward them off. But, as one risk dies out, another will always take its place.

Risk Management

Download this white paper to learn the top 5 vulnerabilities of 2015 - and what's on the horizon for 2016.

Download

 

Rob Cross
PSC, Vice President

Written by Rob Cross at 05:00

Software Overkill and the Software Arms Race

Rob CrossThis past year I leased a new car, and it has all of the gadgets, sensors, widgets, "whatchamacallits" and "doohickeys" you see on the commercials. I'm certain this thing has millions of lines of code piping through it at light speed when I turn the ignition ... WAIT! I just forgot ... I don't turn a key anymore, I now push a button. When I shift the car into drive ... WAIT! I just forgot ... I don't shift anymore, I now push a button. In fact, while it’s moving, this vehicle is monitoring everything from the outside temperature, to my seating posture, to a 360-degree picture of where it is in relation to other cars on the road and the road itself. I'm amazed at the advances in vehicle technology in the past five years and a bit frightful of the ones coming in the next five years.

I recently watched the 60 Minutes expose on self-driving cars, where they interviewed the heads of automotive self-driving car development from Mercedes-Benz and Google. You can watch it here. (By the way, how does an internet search company get into self-driving cars? I'll save that for another time.) The car they were driving … oops, I mean the car that was driving them … has traveled 20,000 miles without an accident. That's impressive. Sure, there are some shortcomings with the car. The technology can't handle snow. Google's cars can't operate in heavy rain. The Mercedes S500 can't decipher hand gestures from traffic cops or pedestrians. These problems were all claimed to be solvable over time.

The Driverless Car Arms Race      

UBER, Google, Audi, Tesla, Mercedes-Benz and others are investing in technology to move as fast as possible towards a driverless model. I remember as a kid being envious of George Jetson's capsule car but never thought autopilot in vehicles would come true in my lifetime. What's the rush? Well, these companies claim that having a driverless society would make the roads safer, and I believe them, but that would mean adoption would have to be 100 percent. The most unpredictable element on the road today is the human, and we are trying to engineer them (us) out of the equation.

What's to Come?

If you know how to write software or how to be a part of the software development ecosystem, then you should be gainfully employed in Detroit or in other high-tech companies looking to move in this direction for the rest of your life. Most of the innovation to accomplish this will have to be in software.

You know what's coming next, right? Government regulation. Which, by the way, I'm a fan of in this case in order to hopefully hold these companies accountable for meeting software safety standards that other industries have to comply with, like aviation. What's the difference between a jet plane on autopilot and your car being on autopilot, and why shouldn't the two be held to the same standards?

Respect the Human

I get it. Cars driving themselves are safer. This would allow us to do more productive things with our life, such as bury our heads further in our smartphones to catch up on Facebook or play a vicious game of Candy Crush.

Personally, driving a car is an emotional experience. You are in control of your freedom knowing that you can drive almost anywhere.

Software Quality and Security

Did you really think I would write all of this without mentioning the importance of software quality and security? I don't believe traditional car manufacturers understand the investment it will take to ensure the quality and security of software going into these vehicles. They have to evolve, from their operations to their culture. I openly admit companies like Tesla, Google and even Apple (if they decide to build the "iCar") have an advantage because they see the car as a software platform that you plug hardware into. Unfortunately, others view it the other way around and will have a hard time getting out of their own way.    

In the meantime, I have turned off my lane departure warning and forward collision warning sensors because of too many false-positives. My passengers think perhaps it's my aggressive driving. They might be correct, but at least it's still my decision if I want to exceed the speed limit, beat another car off the line at a stop light or get to my destination 15 minutes early. That's right! It's my freedom of expression through driving! So get your “vroom vroom” on while you still can, before the autobots take over the roads and your garage.  


Rob Cross
PSC, Vice President

Written by Rob Cross at 05:00
Categories :

An Open Letter to Apple ... From a PSC Summer Intern

proservices

This year PSC hosted a summer intern program, which included the opportunity to participate on the blog. As the first generation that is “fully connected” from birth, these young adults consider technology as another appendage and have much higher expectations for the products they depend on on a daily basis. The post below, from one of our interns, Dorothy, gives me hope that millennials care about their data and privacy – not just having the latest must-have gadget that’s available.

Dear Apple,

The announcement about your latest update has me anxiously awaiting your latest features and software – which have always had me in awe. I hear the rumors, see the spoiler videos and honestly cannot wait until the notification icon that lets me know the update is available appears above my settings app. However, after spending the summer working for a leader in software quality and security assessments, I cannot help but have a few questions that I am now dying to ask.

I would like to preface my questions by stating that I am well aware that these vulnerabilities that I’m about to mention can be found in the software of most phones, not just yours. Basically, they can be found in any internet-seeking device, including TVs and computers. But, I’m an Apple fan, so that is where my concern lies, and with the crazy amount of personal, vital information I keep on my iPhone 5s, it scares me to know that someone could instantly access my entire life if they got their hands on my phone.

So, I guess my concern is two-fold. First, Apple, what steps did you take with this update to ensure your software is up to the highest standard of quality upon release? Since you corrected yourself with roughly a-million-and-one “bug fixes” within the month after the original release, I (unfortunately) have to assume that your attempts for heightened quality are mediocre at best. I understand that designing such intricate software is no easy feat, but we, your loving buyers, expect the best from your team upon arrival. Not only do I have to delete almost my entire phone just to download the first round of your update, I have to continue this vicious cycle every time a new -.0.1 comes out. I want to know how you tackle quality and what you’re doing to offer improved quality with every release.

Another question I have is about the security. I have sensitive information on my phone for numerous accounts, some of which are highly sensitive. And let’s not forget about ApplePay (which I personally do not use, but many others do!). What is it that you do to protect this information? Millions of people use your phones – and with great risk. I would like to know that when I log into my email, or Facebook, and especially my checking account, that there’s little-to-no possibility of hackers getting their hands on my information.

What I’m saying is that I’m nervous that you’re not doing your best. As I have already stated, I am aware that these risks are possible with any and every phone on the market. So perhaps this is a letter to every phone company, not just you. But I’m an Apple lover, and I need to know that as your products are getting more and more advanced, you are accordingly raising your standard.

I can thank PSC for bringing the need for high quality, secure software to my attention, via my internship. At PSC, we provide our clients with the standard of excellence your products once provided. We can guarantee the quality and security of your future iOS updates, and we can guarantee that what you’re giving to your customers breaks the expectations they have set forth. You can change your ways, Apple – your brand depends on it.      

This is your call to action Apple, who are you going to call?

  - Dorothy

Dorothy, of course, is right! Companies like Apple have the opportunity to provide safe, secure, high quality software, but it’s up to them to make that happen. If customers continue to be disappointed by a company’s software, the brand will suffer (and a drop in revenue will likely follow). So, like I always say, we’re here to help. If your software is need of a boost, reach out to DCG or to us. Together we can help you produce the software that your customers deserve.


Rob Cross
PSC, Vice President

Written by Rob Cross at 05:00
Categories :

Morning Commute Gone Wrong

Hacking into your carWaking up and dragging yourself out of bed on a Monday morning is hard enough. Imagine, on the long, road-rage-inducing ride to work, your car is suddenly taken over by a remote hacker and you lose control. Your brakes stop working, your car starts turning, and maybe you even lose control of your radio – now Miley Cyrus is playing (yikes!).

Your frustrating ride to work has just become nearly catastrophic, and it all comes down to a lack of software protection in your car’s "soft" wiring. Recently, Chrysler has found that their cars are vulnerable to these types of attacks, stemming from a wireless service that connects the cars to Sprint’s cellular network. According to an article released by CNN, the risk for vehicle hack attacks was discovered in 2013, but exponentially increased with the introduction of wireless connectivity that is now standard in every new car. At first, the hacker can access your air conditioner, radio, and navigation system. However, once inside, they have a terrifying amount of access to your car’s ability to drive – your brakes, steering wheel, and gas pedal are all at the hacker’s control.

Now, I can assume between your fearful breathing and paranoid research of your car’s ability to fight these hackers, you’re thinking, “How could this have happened?” The answer is simple. When companies release their own software, they often do not use the proper amount of caution when analyzing the code for flaws. What companies like Chrysler are quickly realizing is that when their products become part of the connected network, they also become a target. Just like your computer, phone, TV, alarm system, and everything else in your life that is connected.  

Cyber security is complex and has many layers. Protecting products like connected vehicles is no easy task, but it’s one that is absolutely necessary, considering the industry’s accelerated movement towards self-driving cars and the injection of more technology into your vehicle ... yikes! Application security is one of those important layers in a holistic cyber security strategy, and PSC’s customers are able to avoid such incidents from originating within the application layer by leveraging our industry-leading software security forensics.

Before you go out and buy a '69 Camaro or old Chevy Impala, realize that companies like Chrysler are very aware of such vulnerabilities and are working with their supply chain to ensure new processes and policies are in place to protect their customers in the new connected automobile world. Keep on the lookout for upcoming announcements of Chrysler’s proactive movement in this area [wink ... wink].

 

Rob Cross
PSC Vice President

Written by Rob Cross at 05:00
Categories :

Is the Problem of Software Security Sociological or Technological?

Rob CrossBack in January 2015, Osterman Research published a whitepaper, "The Need for Improved Software Quality.” It was a great read, so I wanted to share a few of my favorite “moments” from it, as well as some of my own thoughts.

#1: Fewer than one in five of the organizations surveyed viewed security as the most important criterion when developing custom applications internally or when having custom software developed by third parties.

My thoughts: Software quality and security are still being treated as a low priority. Our business at PSC is offering an MSP turnkey solution to provide software quality and security expertise to our clients. To this day, it amazes even us how reactive organizations are, especially after high-profile events, such as the Target data breach. There is a common misperception of, "That won't happen to us; our products aren't a target of hackers." If your products touch a network and are software-driven, then they are a target. Just this morning the news reported how an airline passenger hacked into the jet engines midflight through the telematics and entertainment systems onboard the plane. Gadzooks!  

#2: The vulnerability of much of today’s off-the-shelf and custom software, coupled with a lack of management focus on and support for security, is directly responsible for many of the data breaches, financial losses and other security-related problems that have occurred and will occur in the future.

My thoughts: ATTENTION C-Suite executives! The hacker community loves you! They want you to keep your heads buried in the sand so that they can continue to threaten the millions of dollars you have spent on building your loyal customer base and brand.

Need an example? The data breach at Target resulted in a number of serious and long-term problems:

  • Target’s shareholder value dropped by $148 million.
  • Net earnings for the company during the fourth quarter of 2013 were 46% lower than for the fourth quarter of 2012.
  • Sales and the number of transactions during the fourth quarter of 2013 were 3.8% and 5.5% lower, respectively, than for the same period a year earlier.
  • As of August 2013, Target estimated that the cost of the data breach to that point totaled $236 million.

#3: To address these issues, management must focus on security as a top priority in the software development process and must provide sufficient security-focused training to developers.

My thoughts: A good place to start is by addressing process and education. These are long-term investments that will pay off over time and take some time to implement, but eventually both will contribute significantly to changing the organization's culture to being proactive and proud of software security. In addition, there should be a focus on technology, implementing new tools that will assist the organization in collection, correlation and collaboration of security data and providing transparent views into risks from all levels.

IS THE PROBLEM OF SOFTWARE SECURITY TECHNOLOGICAL OR SOCIOLOGICAL?

Clearly there is an issue with software security – this white paper highlights that. But why does this issues exist? It's my contention that the issue of software security is more sociological than technical – it’s an issue of culture and complacency. Technology has been available to companies for a long time, enabling them to prevent the injection of software security risks into their products and allowing them to monitor and control their supply chain.

What we have found prevalent in our client accounts is that if executive management doesn't know or understand how such risks relate to company performance, then they don't know to care or how to proactively manage them. On the other hand, some executive teams don't want to understand what they don't know about software security by claiming that it's a technical issue that's beneath them.

The smart executive teams dig in and invest the time and money to build a risk framework that incorporates software security metrics into their management reports. This emphasizes software security as an important data point and shifts their software from being regarded as a liability to an important asset to proactively measure, understand, manage and mitigate risks. These executives are the hackers’ worst enemies.

But remember, the hackers only have to be right once – your software team and supply chain has to be right 100% of the time. An impossible task, perhaps, and a lot to ask, but we all should be swinging for the fences to protect our company, products and customers.            

Read “The Need for Improved Software Quality” here.

  
Rob Cross
PSC Vice President

                       

Written by Rob Cross at 05:00
Categories :

"It's frustrating that there are so many failed software projects when I know from personal experience that it's possible to do so much better - and we can help." 
- Mike Harris, DCG Owner

Subscribe to Our Newsletter
Join over 30,000 other subscribers. Subscribe to our newsletter today!