Morning Commute Gone Wrong

Hacking into your carWaking up and dragging yourself out of bed on a Monday morning is hard enough. Imagine, on the long, road-rage-inducing ride to work, your car is suddenly taken over by a remote hacker and you lose control. Your brakes stop working, your car starts turning, and maybe you even lose control of your radio – now Miley Cyrus is playing (yikes!).

Your frustrating ride to work has just become nearly catastrophic, and it all comes down to a lack of software protection in your car’s "soft" wiring. Recently, Chrysler has found that their cars are vulnerable to these types of attacks, stemming from a wireless service that connects the cars to Sprint’s cellular network. According to an article released by CNN, the risk for vehicle hack attacks was discovered in 2013, but exponentially increased with the introduction of wireless connectivity that is now standard in every new car. At first, the hacker can access your air conditioner, radio, and navigation system. However, once inside, they have a terrifying amount of access to your car’s ability to drive – your brakes, steering wheel, and gas pedal are all at the hacker’s control.

Now, I can assume between your fearful breathing and paranoid research of your car’s ability to fight these hackers, you’re thinking, “How could this have happened?” The answer is simple. When companies release their own software, they often do not use the proper amount of caution when analyzing the code for flaws. What companies like Chrysler are quickly realizing is that when their products become part of the connected network, they also become a target. Just like your computer, phone, TV, alarm system, and everything else in your life that is connected.  

Cyber security is complex and has many layers. Protecting products like connected vehicles is no easy task, but it’s one that is absolutely necessary, considering the industry’s accelerated movement towards self-driving cars and the injection of more technology into your vehicle ... yikes! Application security is one of those important layers in a holistic cyber security strategy, and PSC’s customers are able to avoid such incidents from originating within the application layer by leveraging our industry-leading software security forensics.

Before you go out and buy a '69 Camaro or old Chevy Impala, realize that companies like Chrysler are very aware of such vulnerabilities and are working with their supply chain to ensure new processes and policies are in place to protect their customers in the new connected automobile world. Keep on the lookout for upcoming announcements of Chrysler’s proactive movement in this area [wink ... wink].

 

Rob Cross
PSC Vice President

Written by Rob Cross at 05:00
Categories :

Is the Problem of Software Security Sociological or Technological?

Rob CrossBack in January 2015, Osterman Research published a whitepaper, "The Need for Improved Software Quality.” It was a great read, so I wanted to share a few of my favorite “moments” from it, as well as some of my own thoughts.

#1: Fewer than one in five of the organizations surveyed viewed security as the most important criterion when developing custom applications internally or when having custom software developed by third parties.

My thoughts: Software quality and security are still being treated as a low priority. Our business at PSC is offering an MSP turnkey solution to provide software quality and security expertise to our clients. To this day, it amazes even us how reactive organizations are, especially after high-profile events, such as the Target data breach. There is a common misperception of, "That won't happen to us; our products aren't a target of hackers." If your products touch a network and are software-driven, then they are a target. Just this morning the news reported how an airline passenger hacked into the jet engines midflight through the telematics and entertainment systems onboard the plane. Gadzooks!  

#2: The vulnerability of much of today’s off-the-shelf and custom software, coupled with a lack of management focus on and support for security, is directly responsible for many of the data breaches, financial losses and other security-related problems that have occurred and will occur in the future.

My thoughts: ATTENTION C-Suite executives! The hacker community loves you! They want you to keep your heads buried in the sand so that they can continue to threaten the millions of dollars you have spent on building your loyal customer base and brand.

Need an example? The data breach at Target resulted in a number of serious and long-term problems:

  • Target’s shareholder value dropped by $148 million.
  • Net earnings for the company during the fourth quarter of 2013 were 46% lower than for the fourth quarter of 2012.
  • Sales and the number of transactions during the fourth quarter of 2013 were 3.8% and 5.5% lower, respectively, than for the same period a year earlier.
  • As of August 2013, Target estimated that the cost of the data breach to that point totaled $236 million.

#3: To address these issues, management must focus on security as a top priority in the software development process and must provide sufficient security-focused training to developers.

My thoughts: A good place to start is by addressing process and education. These are long-term investments that will pay off over time and take some time to implement, but eventually both will contribute significantly to changing the organization's culture to being proactive and proud of software security. In addition, there should be a focus on technology, implementing new tools that will assist the organization in collection, correlation and collaboration of security data and providing transparent views into risks from all levels.

IS THE PROBLEM OF SOFTWARE SECURITY TECHNOLOGICAL OR SOCIOLOGICAL?

Clearly there is an issue with software security – this white paper highlights that. But why does this issues exist? It's my contention that the issue of software security is more sociological than technical – it’s an issue of culture and complacency. Technology has been available to companies for a long time, enabling them to prevent the injection of software security risks into their products and allowing them to monitor and control their supply chain.

What we have found prevalent in our client accounts is that if executive management doesn't know or understand how such risks relate to company performance, then they don't know to care or how to proactively manage them. On the other hand, some executive teams don't want to understand what they don't know about software security by claiming that it's a technical issue that's beneath them.

The smart executive teams dig in and invest the time and money to build a risk framework that incorporates software security metrics into their management reports. This emphasizes software security as an important data point and shifts their software from being regarded as a liability to an important asset to proactively measure, understand, manage and mitigate risks. These executives are the hackers’ worst enemies.

But remember, the hackers only have to be right once – your software team and supply chain has to be right 100% of the time. An impossible task, perhaps, and a lot to ask, but we all should be swinging for the fences to protect our company, products and customers.            

Read “The Need for Improved Software Quality” here.

  
Rob Cross
PSC Vice President

                       

Written by Rob Cross at 05:00
Categories :

One Step Forward, Ten Steps Back in Cyber Security

Rob CrossThis past weekend, my wife and I went to visit our local jeweler to have our wedding bands repaired after many years of wear and tear. The owner of the store is your typical small business jeweler. He opens and closes his store, mops the floors, cleans the jewelry – and everything in between, including managing his own IT infrastructure. 

My wife and I were the only ones in his store at the time, and he kindly asked about my business, which I described as a software security consulting firm. This piqued his interest, and he began to engage me in "techie" talk. He showed me his backroom, full of state-of-the-art equipment. He had everything Apple, from desktops, laptops and iPads to high-end gemology equipment; it was quite impressive. 

As we were checking out, our jeweler chuckled and said, “You’re probably going to laugh later about how much of an idiot at technology I am," and he turned his screen to show me that his point-of-sale (POS) system is still a DOS-based system. It was quite a nostalgic moment – it has been forever since I have seen a DOS-based system. With shock, I asked him why he never upgraded. His explanation was simple. Like the rest of us, he reads the papers and listens to the mainstream media and has been bombarded by stories of hackers and cyber attacks over the years. His logic was, "What hacker out there is targeting DOS-based systems?" He continued to justify this by telling me that his most important customer data is stored in this DOS-based system and that he can't afford to lose it due to viruses or a hacker. 

Idiot or Idiot Savant? 

This resulted in a vicious debate inside my brain regarding whether his strategy was complete gross negligence or utterly brilliant. He is perfectly content with this system and its functionality. It offers the basics of what he needs to manage his customers and it continues to work great. One could argue that he did a very smart thing by keeping it simple – if it’s not broken, don’t fix it. Of course, I could also argue that by not upgrading or backing up his machine, he's one crash away from trashing his data; so, why not upgrade and just keep that computer as a standalone system? 

Who Will Inherit Cyberspace? 

As I continue to think it through, I have flashbacks to movies where aliens invade the planet and we're reduced to simple forms of communications, such as Morse code (thank you, Will Smith and Independence Day). Have we arrived at the same juncture in cyberspace where things have gotten so bad that we're now reduced to dialing back the clock to the days of the green screen, the Morse code equivalent?  

The Tide is Changing

In the wake of high-profile breaches (i.e. Target, Home Depot, Sony), as more executives in the C-suite begin to feel the heat for under-investing in cyber security, I have high hopes that the rest of us will benefit. 

If we as consumers demand and hold our favorite brands accountable, then perhaps small business owners, such as my jeweler, can crawl out from under the stones of MS-DOS and regain confidence in current software that could fosster potential growth.

I feel confident that the tide will soon change, cyber security will become a greater priority, and everyone from big businesses to tiny consumers will be better off for it.


Rob Cross
PSC Vice President

                          

Written by Rob Cross at 05:00
Categories :

The #1 Way to Secure Your Software

Herding Cats[How to Herd Cats]

Cyber security, hacks, breaches and attacks … oh my! Every day in the news there is some headline regarding a company, famous individual or government being compromised by an attack from cyberspace. 

What is Cyberspace? 

According to The Oxford English Dictionary, cyberspace is “The notional environment in which communication over computer networks occurs.” What is the difference between reality and cyberspace? I contend that there is no difference, and as our world grows increasingly connected via cyberspace from our computers, phones, cars and fitness equipment (wearables), the line between the world of physical reality to digital reality is more and more blurred and will probably disappear at an astonishing pace. 

At proServices, we provide independent software/cyber security services, so we have the privilege of working with customers whose products operate within the cyberspace domain. The notion of protecting their systems from being “hacked” and maintaining a balance between remaining competitive, protecting their brand and protecting their customers is still a work in progress.    

What is Cyber Security?

According to TechTarget, “Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.” Cyber security not only requires a holistic approach from the depths of your data to the fringes of your network, but it also requires a shift in culture. This is especially true when it comes to addressing the application layer within your framework of assets that require protection. 

Build a Secure Culture

Culture eats strategy for lunch! I’ve had the fortunate experience in my life of touring a Japanese automobile assembly plant. There were signs everywhere – from the assembly line, to the break room to the restrooms, reminding everyone of how to build a quality vehicle. They even supplied their workers with covers and tape for their jewelry to ensure that they did not cause scratches to the cars. The company’s culture is all about a supreme focus on the quality of the end product.  

Considering the constant threat our connected world is under, including the products we produce, the best of our clients have recognized a need to change the culture within their software organization to focus more proactively on security. In many companies, software organizations have a lot of freedom to implement security best practices – when it’s convenient and not impeding time-to-market drivers. It has been a paradigm of “herding cats” instead of soldiers marching.

Leadership is the Main Ingredient

Leadership is the hardest component to get into place for a change in culture. It requires a company and to truly be authentic in making software security a priority and a part of its core values. Without this commitment, there will be compromise, which breeds complacency and leads our strengths to become our weakness. Too often after identifying security vulnerabilities in our customer’s software do we find out that it was the result of an executive decision that introduced this risk inside the software.  Therefore, leadership must be unwavering.  

The Best of Approaches

One of the best approaches to changing culture is when our clients proactively address the following components:  People, Process, Technology, Data Management, Standards and Transparency. They view each of these components as essential to building a secure culture. I have provided some examples of best practices we have seen within some of these components below.

People – Don’t talk the talk, but walk the walk! 

One of our clients provides reoccurring security training to their software engineers. It’s viewed as a necessary and continual investment. Cyber threats and attacks change every nanosecond, and they felt it was necessary to make sure their employees were updated on the latest programming techniques to reduce their software attack surface. Training also reemphasizes to their employees that security is a core value, one requiring constant investment; it also sent a message that pleading ignorance is not an excuse. 

An important part of building a secure culture with their employees was through gamification. The executives recognized that they had to provide incentives to promote openness and emphasize the importance of security. They achieved a shift in mentality within their software ranks from one of hiding embarrassing defects to one that promoted discussing vulnerabilities as an opportunity to share lessons learned.      

Data Management – It’s not the tools!

One customer started by first asking questions about what security risks were important to the organization to proactively identify, manage and mitigate. This led to understanding what training and processes need to be in place to ensure objectives could be met. They identified several security standards and cherry picked the best from each, tailored to their product space. Then they researched a suite of tools that could produce reliable data to feed into their process, ultimately answering these questions. The default in our industry is a company working from the bottom up and starting with the tools first, which too often results in too many opportunities for systems to be compromised.  

The above are only two brief examples of many. No silver bullet exists for software security; however, building a secure culture provides the needed ammunition to fight back, secure your software, protect your brand and your customers, and, most importantly, build something inside your company that is bigger than any individual and will be there long after you’re gone. 



Rob Cross
PSC Vice President

 

Written by Rob Cross at 05:00
Categories :

A Hard Look in the Mirror - [the Independent Auditor’s Paradox]

MirrorI am a big believer in setting goals, both short-term and long-term. This provides a structured strategy and defines the low-level tactics required to meet objectives. Once these goals are established, I have laser focus and, at times, have blinders on. This focus and drive has been primarily a blessing, but sometimes I lose perspective. 

Our business, proServices, has been an independent “auditor” of software for over a decade, and we are a DCG partner. I have always recognized how uncomfortable this process makes our customers feel because, for the first time, we are providing transparency into the software risks across their organization, so what was once hidden is no longer. This can be very intimidating and make some folks feel exposed and compromised.

The Auditor Becomes the Audited

I had a similar experience recently, when our company was audited. During our initial meeting with our auditors something felt different, but I couldn’t put my finger on it. It was almost a surreal experience. First there was a risk assessment, with the auditor asking all types of questions about our documentation and process, etc. Then the auditor asked if we could package up the artifacts under audit cleanly and if we had control of them for completeness and accuracy. They then explained their audit process and the concepts of transparency. 

ScoobyIt wasn’t until the day after our initial meeting when it hit me. Quoting Shaggy from Scooby-Doo, “Zoinks!” I just had the experience my customers have when they first meet with us! It may not sound like a very profound moment but it was. We at proServices have been “heads down” with laser focus for a long time, trying to change the software world from art to engineering, but I never had the opportunity to sit on the other side of the table as the audited, not the auditor. 

Finding the Humor

As I watched the auditors pour through our artifacts, I found myself saying, “I’m glad I don’t have to do that; it looks so boring and tedious!” If I had a nickel for every time one of our customers made that same comment to us, I would be retired. It also made me laugh because at the end of the meeting, the auditor explained how by going through this revealing process my business would be better off – and I couldn’t disagree with her because I’m in the same business! Oh, the moral dilemma!

Practicing What You Preach

Everyone has a job to do and we all believe that job is in some way going to make the world we live in a better place. Auditors are people too and although the process we are going through is uncomfortable, it’s necessary. In the end, it will help move us forward by learning from any mistakes uncovered or by confirming that we’re doing everything correctly. 

I’m learning a lot sitting on the other side of the table, including humility. However, looking back over the past decade I have no regrets. We have treated our customers fairly and worked hard to communicate that we are there to help, not destroy or embarrass. I believe we have been successful in this by the amount of repeat business our customers give us, which is a tremendous vote of confidence. 

What I respect most about auditors is their objectivity in not being emotionally tied to the data or results. They only seek to understand the truth, no matter how good or ugly it is. Lastly, I very much respect their disposition, having walked more than a mile in their shoes. I know that as an auditor you’re, at times, the least favorite person in the room, and it’s tough to build relationships if the other parties are afraid to embrace the truth and put aside egos and politics to do what’s right.

So, there you have it. Now that I’ve been on both sides of the table, I feel like I have a better understanding of our customers. Of course, for me, it also solidified the value of an audit. If your company would benefit from a software audit, I’m happy to help – I’ve been there too.   


Rob Cross
PSC Vice President, DCG Sales

 

 

 

                          

Written by Rob Cross at 05:00

Subscribe to Our Newsletter
Join over 30,000 other subscribers. Subscribe to our newsletter today!