Is the Problem of Software Security Sociological or Technological?

Rob CrossBack in January 2015, Osterman Research published a whitepaper, "The Need for Improved Software Quality.” It was a great read, so I wanted to share a few of my favorite “moments” from it, as well as some of my own thoughts.

#1: Fewer than one in five of the organizations surveyed viewed security as the most important criterion when developing custom applications internally or when having custom software developed by third parties.

My thoughts: Software quality and security are still being treated as a low priority. Our business at PSC is offering an MSP turnkey solution to provide software quality and security expertise to our clients. To this day, it amazes even us how reactive organizations are, especially after high-profile events, such as the Target data breach. There is a common misperception of, "That won't happen to us; our products aren't a target of hackers." If your products touch a network and are software-driven, then they are a target. Just this morning the news reported how an airline passenger hacked into the jet engines midflight through the telematics and entertainment systems onboard the plane. Gadzooks!  

#2: The vulnerability of much of today’s off-the-shelf and custom software, coupled with a lack of management focus on and support for security, is directly responsible for many of the data breaches, financial losses and other security-related problems that have occurred and will occur in the future.

My thoughts: ATTENTION C-Suite executives! The hacker community loves you! They want you to keep your heads buried in the sand so that they can continue to threaten the millions of dollars you have spent on building your loyal customer base and brand.

Need an example? The data breach at Target resulted in a number of serious and long-term problems:

  • Target’s shareholder value dropped by $148 million.
  • Net earnings for the company during the fourth quarter of 2013 were 46% lower than for the fourth quarter of 2012.
  • Sales and the number of transactions during the fourth quarter of 2013 were 3.8% and 5.5% lower, respectively, than for the same period a year earlier.
  • As of August 2013, Target estimated that the cost of the data breach to that point totaled $236 million.

#3: To address these issues, management must focus on security as a top priority in the software development process and must provide sufficient security-focused training to developers.

My thoughts: A good place to start is by addressing process and education. These are long-term investments that will pay off over time and take some time to implement, but eventually both will contribute significantly to changing the organization's culture to being proactive and proud of software security. In addition, there should be a focus on technology, implementing new tools that will assist the organization in collection, correlation and collaboration of security data and providing transparent views into risks from all levels.

IS THE PROBLEM OF SOFTWARE SECURITY TECHNOLOGICAL OR SOCIOLOGICAL?

Clearly there is an issue with software security – this white paper highlights that. But why does this issues exist? It's my contention that the issue of software security is more sociological than technical – it’s an issue of culture and complacency. Technology has been available to companies for a long time, enabling them to prevent the injection of software security risks into their products and allowing them to monitor and control their supply chain.

What we have found prevalent in our client accounts is that if executive management doesn't know or understand how such risks relate to company performance, then they don't know to care or how to proactively manage them. On the other hand, some executive teams don't want to understand what they don't know about software security by claiming that it's a technical issue that's beneath them.

The smart executive teams dig in and invest the time and money to build a risk framework that incorporates software security metrics into their management reports. This emphasizes software security as an important data point and shifts their software from being regarded as a liability to an important asset to proactively measure, understand, manage and mitigate risks. These executives are the hackers’ worst enemies.

But remember, the hackers only have to be right once – your software team and supply chain has to be right 100% of the time. An impossible task, perhaps, and a lot to ask, but we all should be swinging for the fences to protect our company, products and customers.            

Read “The Need for Improved Software Quality” here.

  
Rob Cross
PSC Vice President

                       

Written by Rob Cross at 05:00
Categories :

One Step Forward, Ten Steps Back in Cyber Security

Rob CrossThis past weekend, my wife and I went to visit our local jeweler to have our wedding bands repaired after many years of wear and tear. The owner of the store is your typical small business jeweler. He opens and closes his store, mops the floors, cleans the jewelry – and everything in between, including managing his own IT infrastructure. 

My wife and I were the only ones in his store at the time, and he kindly asked about my business, which I described as a software security consulting firm. This piqued his interest, and he began to engage me in "techie" talk. He showed me his backroom, full of state-of-the-art equipment. He had everything Apple, from desktops, laptops and iPads to high-end gemology equipment; it was quite impressive. 

As we were checking out, our jeweler chuckled and said, “You’re probably going to laugh later about how much of an idiot at technology I am," and he turned his screen to show me that his point-of-sale (POS) system is still a DOS-based system. It was quite a nostalgic moment – it has been forever since I have seen a DOS-based system. With shock, I asked him why he never upgraded. His explanation was simple. Like the rest of us, he reads the papers and listens to the mainstream media and has been bombarded by stories of hackers and cyber attacks over the years. His logic was, "What hacker out there is targeting DOS-based systems?" He continued to justify this by telling me that his most important customer data is stored in this DOS-based system and that he can't afford to lose it due to viruses or a hacker. 

Idiot or Idiot Savant? 

This resulted in a vicious debate inside my brain regarding whether his strategy was complete gross negligence or utterly brilliant. He is perfectly content with this system and its functionality. It offers the basics of what he needs to manage his customers and it continues to work great. One could argue that he did a very smart thing by keeping it simple – if it’s not broken, don’t fix it. Of course, I could also argue that by not upgrading or backing up his machine, he's one crash away from trashing his data; so, why not upgrade and just keep that computer as a standalone system? 

Who Will Inherit Cyberspace? 

As I continue to think it through, I have flashbacks to movies where aliens invade the planet and we're reduced to simple forms of communications, such as Morse code (thank you, Will Smith and Independence Day). Have we arrived at the same juncture in cyberspace where things have gotten so bad that we're now reduced to dialing back the clock to the days of the green screen, the Morse code equivalent?  

The Tide is Changing

In the wake of high-profile breaches (i.e. Target, Home Depot, Sony), as more executives in the C-suite begin to feel the heat for under-investing in cyber security, I have high hopes that the rest of us will benefit. 

If we as consumers demand and hold our favorite brands accountable, then perhaps small business owners, such as my jeweler, can crawl out from under the stones of MS-DOS and regain confidence in current software that could fosster potential growth.

I feel confident that the tide will soon change, cyber security will become a greater priority, and everyone from big businesses to tiny consumers will be better off for it.


Rob Cross
PSC Vice President

                          

Written by Rob Cross at 05:00
Categories :

A Hard Look in the Mirror - [the Independent Auditor’s Paradox]

MirrorI am a big believer in setting goals, both short-term and long-term. This provides a structured strategy and defines the low-level tactics required to meet objectives. Once these goals are established, I have laser focus and, at times, have blinders on. This focus and drive has been primarily a blessing, but sometimes I lose perspective. 

Our business, proServices, has been an independent “auditor” of software for over a decade, and we are a DCG partner. I have always recognized how uncomfortable this process makes our customers feel because, for the first time, we are providing transparency into the software risks across their organization, so what was once hidden is no longer. This can be very intimidating and make some folks feel exposed and compromised.

The Auditor Becomes the Audited

I had a similar experience recently, when our company was audited. During our initial meeting with our auditors something felt different, but I couldn’t put my finger on it. It was almost a surreal experience. First there was a risk assessment, with the auditor asking all types of questions about our documentation and process, etc. Then the auditor asked if we could package up the artifacts under audit cleanly and if we had control of them for completeness and accuracy. They then explained their audit process and the concepts of transparency. 

ScoobyIt wasn’t until the day after our initial meeting when it hit me. Quoting Shaggy from Scooby-Doo, “Zoinks!” I just had the experience my customers have when they first meet with us! It may not sound like a very profound moment but it was. We at proServices have been “heads down” with laser focus for a long time, trying to change the software world from art to engineering, but I never had the opportunity to sit on the other side of the table as the audited, not the auditor. 

Finding the Humor

As I watched the auditors pour through our artifacts, I found myself saying, “I’m glad I don’t have to do that; it looks so boring and tedious!” If I had a nickel for every time one of our customers made that same comment to us, I would be retired. It also made me laugh because at the end of the meeting, the auditor explained how by going through this revealing process my business would be better off – and I couldn’t disagree with her because I’m in the same business! Oh, the moral dilemma!

Practicing What You Preach

Everyone has a job to do and we all believe that job is in some way going to make the world we live in a better place. Auditors are people too and although the process we are going through is uncomfortable, it’s necessary. In the end, it will help move us forward by learning from any mistakes uncovered or by confirming that we’re doing everything correctly. 

I’m learning a lot sitting on the other side of the table, including humility. However, looking back over the past decade I have no regrets. We have treated our customers fairly and worked hard to communicate that we are there to help, not destroy or embarrass. I believe we have been successful in this by the amount of repeat business our customers give us, which is a tremendous vote of confidence. 

What I respect most about auditors is their objectivity in not being emotionally tied to the data or results. They only seek to understand the truth, no matter how good or ugly it is. Lastly, I very much respect their disposition, having walked more than a mile in their shoes. I know that as an auditor you’re, at times, the least favorite person in the room, and it’s tough to build relationships if the other parties are afraid to embrace the truth and put aside egos and politics to do what’s right.

So, there you have it. Now that I’ve been on both sides of the table, I feel like I have a better understanding of our customers. Of course, for me, it also solidified the value of an audit. If your company would benefit from a software audit, I’m happy to help – I’ve been there too.   


Rob Cross
PSC Vice President, DCG Sales

 

 

 

                          

Written by Rob Cross at 05:00

Everything You Need to Know About Cyber Security You Can Learn From Your Plumber

Cash Is KingIs it me or do the headlines regarding compromised Point of Sale (POS) systems keep increasing in frequency? Let’s not kid ourselves, there have been some pretty big breaches …Target, Home Depot, Apple iCloud, and as of today, Jimmie John’s. To cyber attackers retail is the new banking sector!   

One of my best friends, Don, is a plumber and also a Captain in the Newark, New Jersey Fire Department. This guy works harder than anyone I know, and he’s probably one of the brightest guys I know. I always tease him that he should write a book called “Everything You Need to Know in Life You Can Learn from Your Plumber.” 

Interestingly, his solutions are always equated to how he would approach a technical problem from a plumber’s standpoint. 

FLY ON THE WALL

A conversation with Don:

RC: “Did you hear about Home Depot getting breached by a cyber attack?”

Don: “I don’t understand what’s so difficult. Let me tell you what we do in plumbing. When a home owner doesn’t like what’s coming through the pipes, like the way the water looks or tastes, we test the water. Based on the water test results, we can put on layers of water treatment solutions to eliminate the threats, and then we can offer periodic testing. In fact, there are systems now that can do real-time monitoring of water quality and alert us when there is a change.” 

RC: “First it was Target, and now it’s Jimmie John’s … who’s next?”

Don: “In plumbing, water finds the path of least resistance, even the tiniest of holes in a pipe or structure will, over time, be found and exploited. Next thing you know, the hole gets bigger and things get ruined. There is always constant isometric pressure of water inside your home or business, and if it’s not contained properly, it will run amuck. This cyber problem sounds no different to me than what I deal with daily.” 

RC: “It’s scary stuff and every time I pull out my credit card to pay for something at a store, I think twice now.”

Don: “Rob, that’s why cash is king. Let those cyber idiots try to interfere with that transaction. If I don’t have the cash, guess what? I don’t buy it. Cards are for convenience, at the cost of security and trust, and it’s obvious to me that stores aren’t smarter than the bad guys, so why should I entrust them with access to my identity, which could lead to my money. The hackers always win.”   

Don: “I don’t understand why everyone doesn’t use PSC’s software security service. No plumber is allowed to self-inspect his or her own work. There are companies out there building pretty cool and important stuff with software, and I don’t understand why they trust themselves more than your company to offer an outside opinion. I don’t get it.”

RC: “It’s not an easy answer. Companies do what they feel is right, and oftentimes, that decision is tied to how it impacts revenue or competitiveness in the marketplace. Our customers realize the software security and quality battle is about data and not what technologies are used to identify the issues. Once they make this shift, it begins cascading through the culture of their company to be driven by data instead of opinions. I’m sure in your business there are homeowners who install their own under-the-sink filtration systems and then never check their water again or don’t change their filters regularly. They feel safe because they have purchased the “tool” that is supposed to catch the harmful things. Essentially, they are making their water potentially worse for their family. There will always be someone out there that you will never convince that you can do a better job and approach their water problem from a different perspective and provide better tasting water beyond their imagination. To them you’re just the plumber that only fixes pipes and not water quality problems. It’s no different in my business.”     

Don: “Hm … but my customers aren’t building things that could potentially kill someone, cause the market to crash or cause damage to their brand in the market. You won’t find me shopping at Home Depot anymore.” 

Don makes a valid point, right? This, of course, is why I have been urging him to write a book – believe me, his brilliance doesn’t stop at the current state of cyber security in retail. 

THE FUTURE

I don’t know if Apply Pay will save the day or Bitcoin or Zerocash. What I do know is that companies need to put aside more of their budgets to address cyber security on an ongoing basis. An unbiased opinion can provide valuable information that could make or break the future of your brand and the loyalty of your customers.

 

Rob Cross
PSC Vice President, DCG Sales

Written by Rob Cross at 05:00

Fox in the Henhouse: The Power of Independent Software Assessments

Software ReviewHave you ever been in a situation where you were tasked to critique or review a fellow associate’s creative work? 

How would you feel about going to an art gallery and providing criticism directly to the artist? 

It’s not easy, right? How secure would you feel about your software if I said that this happens in your organization every day? For many organizations, the quality of their code is directly tied to peer reviews and constructive criticism.

Sociologically speaking, it’s tough to be in any of the above situations, where you have to provide constructive criticism to a peer. I truly admire those who can remain objective and factual during any peer review, be it about art or software. I know from my own creative experiences, it’s unpleasant to take your work in for review by a peer or superior. It’s difficult not to be defensive and take constructive criticism personally.  So, in many cases, the colleague reviewing your work may gloss over some of the errors to prevent hurt feelings and awkward workplace situations – which, in this case, means your software is suffering.

 

SOME FLAWED ASSUMPTIONS

There are a number of assumptions organizations make about their software, which they believe is proof that their software is high quality and secure. Let’s evaluate these assumptions, shall we?

“Tools simplify the problem” – We all wish this were true, but the reality is that while most software tools do find quality and security defects in software, it is at the consequence of finding voluminous false-positive data and, more importantly, errors of omission that we don’t find out about until it’s too late.

“Code peer reviews are always performed” – Even including our clients that follow a CMMI Level 3+ process, we don’t have one of them that would answer the following questions with an absolute yes: 

  • Are peer reviews performed on all of the code produced? 
  • Do you know when they were performed, the result and trending information from the mitigation plan? 
  • Do all of your engineers use software tools to assist and do you know how the resulting data is managed to a measurable result? 
  • Are the results socialized with peers, superiors and upper management to proactively understand quality and security risks?  

“We never shortcut our process” - No one company or development organization can defy the laws of software physics to bend its code around space and time. However, this doesn’t eliminate the pressure of trying to deliver new functionality and products to market before the competition to capture more market share. Therefore, shortcuts are taken, with the belief that we will circle back and do it the right way when we have more time, which we never have.    

“Software engineers are super humans!” – It’s mission impossible for software engineers to do everything, but that is their responsibility (right?), including:

  • Memorizing 1,000s of software standards by language.
  • Reviewing not only their own code, but also their peers’ code, in time to make a release date.
  • Sifting through 1,000s of false-positive data instances produced from software tools to identify the three percent that are real killers. 

“Engineering peers can overcome the pressure of reviewing code” – I’m not convinced this is fair. I have no doubt our engineers try their very best to be constructive, but they more than likely also hold some criticism in order to not damage a relationship. Also, many of our clients do not invest in training their engineers in the proper method of reviewing code.

 

WHY INDEPENDENCE = UNFILTERED TRUTH

First, there is no silver bullet for ensuring you have quality code, but there are solutions that provide key capabilities to any software organization. As both an advocate and provider of independent reviews of software, we have seen dramatic impacts on organizations. The most common feedback is appreciation for the truth in the data produced.

When you hire an independent, they do not have a vested interest in the outcome of the service, other than the integrity of the process and ensuring that the resulting data is preserved at extremely high levels of assurance. The collection of massive amounts of software risk data, leveraging numerous software technologies, is an eye-opener to clients on the power of technology hooked into a well-defined data management process. Correlating these identified risks to quality, security and performance concerns against multiple standards, across multiple language spaces, yields the organization economies of scale in effectiveness and efficiency that they are unable to achieve using internal resources under pressure from market, customer and competition demands. 

The most dramatic impact we have seen in organizations is the effect that socializing the resulting information has in improving the collaboration between executive and technical teams. Both audiences trust the information because neither produced it. This does not completely eliminate the hurt feelings in pointing out risks and flaws in someone’s code.  However, at a minimum, it opens up the lines of communication because the conversation is based on facts and not opinions. It’s amazing to see the dynamics of the room change from hostile to “We’re in this together” once they have a common framework of understanding the data. From personal experience, we oftentimes hear a sigh of relief from engineers once they understand the amount of work required to muscle the data down to actionable results, happy that they didn’t have to do it.      

It’s 2014 and software has been in our society for 30+ years, powering just about everything these days, from our homes to our cars. We should be past the common myths of believing our own engineers truly have the time to review code the right way – and the courage to remain objective. Perhaps with recent examples in the news of several companies’ stock prices taking a hit from software glitches (i.e. Twitter server crashes) and cyber attacks (i.e. Target), it might be time to consider another approach, offering superior data integrity to make critical business decisions in the best interest of our brands, customers and stockholders.       

 

Rob Cross
Vice President, PSC

Written by Rob Cross at 05:00

"It's frustrating that there are so many failed software projects when I know from personal experience that it's possible to do so much better - and we can help." 
- Mike Harris, DCG Owner

Subscribe to Our Newsletter
Join over 30,000 other subscribers. Subscribe to our newsletter today!