Software is Your Brand.

Psc


GM Recalls 300,000 Trucks Due To Software Glitch

Delta Offers Dirt Cheap Airfares Because of Software Glitch

Infiniti Q50 Recalled For Steer-By-Wire Software Glitch

Target, Neiman Marcus Not Only Victims of Cyber Attacks

 

What do all of the above headlines have in common? It’s not what you think. The answer is that none of the companies named are “software companies.” 

Unless you live in the middle of the desert and/or under a rock, from the moment you wake up in the morning until you go to bed at night, your life is constantly touched by products and services driven by software. Unfortunately, this reality is now just starting to catch up with the providers of these products and services. 

For example, General Motors, Chrysler and Infiniti are car makers, and when you look at their logos, you have an image of a physical product, be it a pick-up truck or luxury vehicle. You think, “Aaaah, that new car smell!” However, did you know that in the near future your car will contain more lines of code than the F-22 fighter jet? Between the Powertrain components, safety systems and infotainment systems, software is as important as tires for these vehicles to work. Automobiles are just one example; consider all of the other “things” in your life containing code … cell phones, refrigerators, airplanes, credit card machines, traffic lights, elevators, MRI machines, power stations, data centers, televisions, etc. 

What’s the “so what?”  Until corporations value their software as part of their brand and reflect that in their budgets, we as consumers will continue to be the test bed. There is ample room for interpretation on this point. As the old saying goes, “If all you have is a hammer, then everything turns into a nail.” Certainly I’m not suggesting companies developing mobile apps should scrutinize their software in the same way medical device manufacturers do. However, at a minimum, we expect companies to value their software as an essential asset and put a proper risk management process in place that fits the risk signature of the system to consumers. 

At ProServices, we are currently working with a couple of Fortune 100 organizations in the early stages of putting together a holistic software quality strategy (Hallelujah Chorus!). Their approaches have similar foundations by addressing the challenges with People, Process, Technology, Standards, Data Management and Information Transparency. Another core principle in each of the initiatives is changing their posture from reactive to proactive by pushing their strategies to the frontlines at ground zero. These organizations have recognized that software is part of their brand and deserves the same amount of brain space and budget as the other aspects of their business. 

There is no doubt in my mind that these organizations will soon be heads and tails above their competitors once they execute these strategies and realize the benefits to their bottom line.  More importantly, this strategy will secure their brands from embarrassing failures, which would erode their positioning in the market. 

Unlike popular belief, software doesn’t just happen. It really does require the same engineering principles from the likes of great contributors to the global quality movement, W. Edwards Demming, Joseph M. Juran, Dr. Kaoru Ishikawa and Genichi Taguchi. I’m not suggesting that on day one we start porting Taguchi’s methods into software, but perhaps we can utilize lessons learned from incorporating their methods into other business disciplines, taking pieces of their work, as appropriate, to help all of us respect software as an important part of the products/services we offer to consumers. 

 

Rob Cross
PSC, Vice President    

Written by Rob Cross at 08:00
Categories :

The Next Generation of Hackers? Assess Your Application Security Now!

Baby With iPadToday’s youth … tomorrow’s threat? It’s absolutely mindboggling that kids today know how to swipe an iPad before they learn how to talk or write. Don’t you agree?

Computers, handhelds, software – the interconnectedness once foreign to people like me are natural appendages to the future generation. Why am I bringing this up? The systems and software designed today were done so by a generation that had to painfully adjust their lives to the constant interruption or disruption of technology. We have integrated ourselves into this new reality time and time again.

However, tomorrow’s generation is integrated with technology almost from birth. Sociologically, we are at a disadvantage because this younger generation will easily find ways to compromise the systems we have designed using outdated technology paradigms. Perhaps this paradox is nothing new; however, the rate of technology invention will not outpace the rate of human innovation and the ability to compromise technology in the decades to come. If you don’t believe it, check out the news story below and try to catch your jaw from hitting the floor.  

British schoolboy, 16, 'took part in world's biggest cyber attack and was found to have significant amount of cash flowing through bank account

Man at ComputerAdding some more logs to the fire, there are a number of companies beginning to dabble in the “digital black arts” (aka software development), whom traditionally have not done so in the past, such as consumer goods companies.  Additionally, there are many more companies integrating software (Open Source or Commercial off the Shelf) into their environment. But, these companies often do not understand the associated risks that come with these initiatives. The question becomes: How can these companies manage these changes and manage risk?

Like any good problem, the solution requires a holistic and layered approach, starting with cyber security. There are many opinions out there regarding the layers of security needed to sufficiently address this growing threat; I, however, will just discuss one: application security.    

It’s always interesting to me when we receive the phone call from companies, who are known to be the leader in their market, because they have a “situation.” The conversation usually starts off with a quick signing of an NDA, and then we’re immersed into the details of how the company has been compromised from not proactively paying attention to application security; and, before they go public, they need to make sure a solution is in place.

I have enormous amounts of respect for these companies, and I’m in awe of their incredible ability to execute ultra-complex, go-to-market strategies and build empires. However, when it comes to making sure their digital assets are locked down, they have fallen short and are unknowingly playing the cyber equivalent of Russian roulette. The C-level executives in these situations are typically speechless, having found out that after the millions of dollars and years of hard work spent building a loyal and strong customer base, it has rapidly started to erode in less time than it took my old Atari 2600 to boot up and load Pac-Man. 

The cyber threat is here and it’s not going away. In fact, it’s growing at a rate that is mind blowing, and with new generations in the pipeline growing up with technology integrated from the start into their daily lives, we’re in for a ride. 

iPhone AtariDoing due diligence in having an independent come into your company to assess your application security readiness needs to be part of the corporate strategy as a planned, proactive activity. Your customers and shareholders deserve nothing less. It’s not the silver bullet per se, but part of a bigger holistic cyber security strategy that will at least keep your company in good standing and perhaps a half-step ahead of the bad guys in cyberspace.

By the way, this photograph is such a violation of my nostalgic memories. How dare someone comingle an iPhone with my beloved Atari 2600. As we would say back then, “Dude that’s totally cool … NOT!” 


Rob Cross
PSC, Vice President              

Written by Rob Cross at 05:00
Categories :

Is Your Software a Lamborghini or a Yugo?

LamborghiniWhen I was a kid, my bedroom walls were plastered with posters of Lamborghinis (mixed in with the occasional poster of your favorite eighties hair band). The image and branding of Lamborghini is the epitome of performance and sex appeal in the most extreme sense. It turns out that the love for these cars is genetic and my 12 year old son shares my obsession.

This slick image is something we all try to achieve with the things we build. Our customers always have the requirements to build their software so it’s fast ... like “Lamborghini” fast!  However, often times they find in the end they really built something else …

Enter the Yugo! If it were, as my 12 year old would say, “opposite day,” then you would Yugobe driving one of these cars instead, the shining star for the automotive industry where economical violently crashes into ugly. I believe these cars went from zero to sixty in 30 minutes, with your friends giving you a push start. Fred Flintstone and Barney Rubble could peddle their car faster.  

Unfortunately, sometimes our software shares the same characteristics of a Yugo, and we start to ask the question, “How did we get here?”

Most of the time our customers blame having Lamborghini speed in their software process on time-to-market demands, which causes them to push off performance until the end (because features are more important). In the worst of cases, by the time our customers come to this conclusion they realize the impending decision of COMPROMISE. In other words, the software may have the sex appeal of a Lamborghini, but when you step on the gas she doesn’t go. Most of the time they have hard wired performance into their architecture and to correct it is major surgery and very expensive. However, all is not lost!  Software, unlike actual cars, can be “bent” and changed much easier and in a lot of ways that have a material impact to its performance.  

From our experience as a company, performance tuning software is a unique capability and not every software organization has the correct mix of talent, technology and, most importantly, time to pull it off themselves. What we also find is the definition of performance varies across projects and even with projects across engineers. It’s understanding the definition the market deems most important and how to focus on those targets as the priority; the rest of the performance requirements can be addressed over several releases. Another key factor is the economics of this activity. Providing fixes that first emphasize the maximum improvement to performance with the lowest impact to architecture is the priority.

We know that it’s hard to take a step back from the wonderful work you created and realize you began the journey wanting to build something sexy and fast, but unfortunately today was opposite day. The team’s intention was absolutely in the right place, but the speed of process and other competing priorities interfered with our dream of building our Lamborghini. Rest assured, there are ways to engineer performance back into the software, so in the end you may not have the Lamborghini, but you definitely won’t have a Yugo, instead you might end up with …  

Van
Yup … you knew this is where I was going.  She’s not sexy and she’s not ugly either. She’ll do zero to sixty a heck of a lot faster than both a Yugo and Fred and Barney. Lots of utility and incredibly reliable with mass market appeal. Yes, folks, this is what most of us (including me on weekends) drive.  

Why should our software be any different?  
      

Rob Cross
PSC, Vice President              

Written by Rob Cross at 05:00
Categories :

Medical Devices Face Cyber Security Threats

Holy Heart Attack Batman! It’s amazing how much Rob Crosssoftware touches every aspect of our daily life, from the furnace in our homes to pacemakers. Software intensive systems alone have an element of risk to them. However, once these systems are connected to a network and “on the grid,” there’s a whole new risk involved with these systems – cyber security.

The referenced article from Reuters discusses the FDA’s recent warning about the vulnerability of medical devices connected to a network. The article cites research stating that medical devices connected to a hospital’s network can be taken over and manipulated by the controller – without the hospital staff knowing. Yikes!

I know you’re thinking some of the same crazy things I’m thinking. Imagine a patient in the ICU on an air ventilator, who is also receiving medication via the IV infusion pump. Both machines are connected to the hospital network and monitored centrally at the nurse’s station, so in theory, they are “on the grid.” What’s to prevent a hacker from developing a virus to specifically target such devices and implement malicious behavior, such as shutting down the ventilator or increasing the dosage of medication to our fictitious patient? According to this article, nothing is really stopping that from happening.  That’s not only crazy but also scary.  

Now, let’s reel the crazy back in and look at reality. This is a wake-up call, not only to the medical device industry, but to all industries making network enabled products. If a product is “on the grid,” it’s a target for hackers and measures need to be taken to protect customers from malicious attacks. One of the common mistakes we see hardware-centric companies make is under-investing in their software capabilities because they don’t understand software but know it adds a lot to their bottom line. They’re hooked on the revenue.

For example, let’s add an LCD display to refrigerators, connecting your Tumblr, Facebook and Pinterest accounts to it, along with a calendar, to-do lists, grocery lists, etc. The maker of the fridge can pump up the price $600 - $1,000 with this new sexy feature. Sounds great – until someone finds a way to connect in through your unsecured home network and shut down your fridge, resulting in a loss of $1,000 worth of perishables.

I’m sure we could come up with hundreds of examples. Again, from our cars to TVs, everything is becoming a target.  

For the executives of such companies who might be reading this, from all of us consumers out here, be in it to win it! Don’t treat software and software security as second-class citizens. Your brand can’t afford to take the hit and we can’t afford to become mass targets of opportunities.

Until my next post, stay healthy and out of hospitals!


Rob Cross
ProServices, Vice President

Written by Rob Cross at 05:00
Categories :

Is Your Company Prepared to Defend Against a Hacker?

Rob Cross PSC colorLife has changed as we know it, and nothing is untouchable now, including your company’s brand! Example?

2.4 Million Credit, Debit Cards Hacked at Schnucks Markets

I’m not sure what to think anymore when you see the CEO of a grocery store chain called Schnucks explain how 2.4 million credit card numbers were stolen from their systems by cyber hackers. I live in New Jersey and have never heard of Schnucks before in my life, but their website indicated that they were founded in 1939 in North St. Louis; the well-loved, neighborhood grocery store.  

SchnucksPictured here are Edwin and Anna Schnuck back in 1937 (source: http://www.schnucks.com). These were the good old days before credit cards and cyber hackers. Everyone knew their butcher, pharmacist, mailman and barber by first name.  In fact, Schnucks is known as “The Friendliest Stores in Town.”  

Seventy-six years later, they have more than 15,000 employees and more than 100 stores. More importantly, they are on the “grid” and have been a target and victim of cyber attackers. It took this company 76 years to build their brand and a loyal customer base, but it took hackers less than a day to exploit this wonderful company’s unfortunate vulnerabilities and tarnish their relationship with their customers. Shameful, awful, horrific, and I’m sure if Edwin and Anna were still alive, they’d find it all very confusing.  

What is cyber security and why didn’t the “Friendliest Store in Town” have the systems in place to be the unfriendliest target to cyber criminals?  I don’t presume to have the definitive answer for either questions, but I have some thoughts.  

From my simple point of view, cyber security comes in many layers: social engineering, network protection, application security and database assurance. All are intertwined, and the weakest link cliché does apply. Because my company focuses on application security, I can speak knowledgeably on this topic. Regardless of whether Schnucks or other businesses do their own application development or they purchase commercial off-the-shelf or custom solutions, each should have its own strategy for identifying security risks and vulnerabilities.  

Trust But Verify!  

“Different strokes for different folks” applies here. Some companies prefer to do all in-house development so they can control their risks. Others buy software from vendors, feeling they have shifted the burden of risk to their vendors because of the special addition of lawyers being involved to clearly define this shift in responsibility.  

From the perspective of a company’s brand and the precious relationship it has with their loyal customer base, this burden should never be shifted and proper process and controls should be in place. My company performs numerous software security audits every year across different industries, and it’s the exception, not the rule when we come across an application that has zero security flaws. This applies to both in-house developed and third-party applications.  

Even though your company may trust its employees and your long-time vendors, you should verify that they have been following the proper process and controls. Your company’s brand is too important!  Whether it’s through a third-party, independent evaluator, like PSC, or an internal team firewalled from the vendor and internal team, your company should be forensically analyzing the applications riding on your networks and interfacing with your employees, vendors and customers for security flaws.  

There are many reasons why this critical activity is overlooked or improperly performed, from schedule compression to no secure code training for developers.  Not factoring these weak points into your software security risk model is fatal.  

As George W. Bush said, “In our efforts to discover and stop attacks, we have to be right every time; the terrorists only have to be right once.” This applies to your cyber security and application security posture. The cyber criminals only have to be right once and the hard work and millions of dollars you have spent in building your company’s brand, reputation and relationship with your customers can be erased in a nanosecond.  

On a positive note, this week at Schnucks is Super Triple Coupon Week! I wish them all the best in building back the trust of their customers. Triple coupons would get me back in the stores, but it’s up to them to ensure the security of their software!

Rob Cross
ProServices, Vice President

Written by Rob Cross at 08:00
Categories :

"It's frustrating that there are so many failed software projects when I know from personal experience that it's possible to do so much better - and we can help." 
- Mike Harris, DCG Owner

Subscribe to Our Newsletter
Join over 30,000 other subscribers. Subscribe to our newsletter today!