Security by design: Embed protection during software development

Application security tests for vulnerabilities, teaches developers during earliest stages of software creation

 
Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

There was at time 15 years ago when we ful­ly expect­ed the lat­est, coolest soft­ware to come rid­dled with aggra­vat­ing bugs. Con­sumers were trained to expect that the soft­ware ven­dor would fix the glitch­es in ver­sion 1.1 or 1.2.

Soft­ware devel­op­ers today remain under more pres­sure than ever to rush to mar­ket with the coolest func­tion­al­i­ties. But those that do so cre­ate fresh vul­ner­a­bil­i­ties that cyber crim­i­nals pounce on to breach busi­ness net­works and cause oth­er havoc.

Fac­tor in the ongo­ing shift into cloud com­put­ing and the rapid expan­sion of the Inter­net of Things, and the prob­lem of loose­ly writ­ten soft­ware takes on pro­found significance—to the point of putting polit­i­cal sys­tems, and even human lives, at risk.

Relat­ed video: The case for mak­ing soft­ware secure from the start

The good news is that there is a ris­ing field of cyber­se­cu­ri­ty, referred to as “appli­ca­tion secu­ri­ty,” that has come on to pro­mote a pat­tern of putting more fore­thought into devel­op­ing new soft­ware with secu­ri­ty built in from the ground up.

Sil­i­con Val­ley-based soft­ware com­pa­ny Syn­op­sys has jumped with both feet into the appli­ca­tion secu­ri­ty field. With 10,000-plus employ­ees and $2.4 bil­lion in annu­al rev­enue, Syn­op­sys is the U.S. soft­ware giant most folks have nev­er heard of.

The com­pa­ny got start­ed in 1986, spun out of Gen­er­al Electrics’ research branch. It then pro­ceed­ed to help pio­neer the soft­ware tools used for design­ing the inte­grat­ed cir­cuits and cir­cuit boards at the core of dig­i­tal com­merce as we know it today.

Now Syn­op­sys is stak­ing out turf in the bur­geon­ing cyber­se­cu­ri­ty mar­ket. It recent­ly formed a busi­ness unit, called the Soft­ware Integri­ty Group, by acquir­ing a string of com­pa­nies doing work in appli­ca­tion security—the pur­suit of embed­ding secu­ri­ty fea­tures as ear­ly as pos­si­ble in the devel­op­ment of busi­ness soft­ware, even down to the chip level.

Relat­ed pod­cast: Why ‘DevOps’ and appli­ca­tion secu­ri­ty test­ing go hand-in-hand

Syn­op­sys’ buy­ing binge toward this end has includ­ed Cover­i­ty, Code­nomi­con, Seek­er, Pro­te­code and, most recent­ly, Cig­i­tal and Codis­cope. At RSA 2017, I had the chance to meet with Andreas Kuehlmann, senior vice pres­i­dent, and John Wyatt, vice pres­i­dent of secu­ri­ty con­sult­ing, respec­tive­ly, for Syn­op­sys’ newest busi­ness unit. A few takeaways:

John Wyatt, Syn­op­sys vice pres­i­dent of secu­ri­ty consulting

New par­a­digm need­ed. The soft­ware indus­try is noto­ri­ous for devel­op­ing com­mer­cial appli­ca­tions as rapid­ly as pos­si­ble, with as many bells and whis­tles as pos­si­ble, with lit­tle, if any, regard for the secu­ri­ty impli­ca­tions. Part of that is due to the fact that soft­ware devel­op­ment is an imma­ture dis­ci­pline, when com­pared with, say, mechan­i­cal engi­neer­ing, Wyatt says. But the arrival of the Inter­net of Things has raised the stakes considerably.

In the past, soft­ware secu­ri­ty was most­ly focused on the enter­prise space. So if you think about banks, they were the first ones attacked, then retail stores and insur­ance com­pa­nies,” Kuehlmann adds. “Now we see the advent of IoT where secu­ri­ty is not only an issue of whether a cred­it card num­ber is stolen, it is now people’s health that is impact­ed. If the car gets hacked, you can actu­al­ly hurt some­one, you can cre­ate an accident.”

Deep­er attacks. Net­work probes, and breach­es, have become a fact of every­day busi­ness life. And even as com­pa­nies spend more to beef up defens­es, cyber crim­i­nals are prob­ing for, and attack­ing, vul­ner­a­bil­i­ties lurk­ing deep­er in com­pa­ny networks.

Wyatt notes that two-thirds of breach­es trace back to vul­ner­a­bil­i­ties that were intro­duced in the appli­ca­tion soft­ware. “So we test the soft­ware for peo­ple who are either build­ing it or buy­ing it or stor­ing it,” he says. “And then we teach the peo­ple who built that soft­ware to do it cor­rect­ly, so it’s not hackable.”

Andreas Kuehlmann, Syn­op­sys senior vice president

This involves hard­en­ing pro­grams from the ground up. Says Kuehlmann: “We focus on apply­ing tech­nol­o­gy and process­es in the devel­op­ment of the soft­ware to build secu­ri­ty in, get­ting it right from the begin­ning rather than being slop­py in devel­op­ment and hav­ing a lot of vul­ner­a­bil­i­ties that you have to then fix lat­er on.”

Onslaught has begun: Attacks aimed at the Inter­net of Things have start­ed. As con­sumers bear the brunt, the com­pa­nies rush­ing inter­net-con­nect­ed devices and ser­vices to mar­ket will be com­pelled to shore up security.

What’s hap­pen­ing is soft­ware ven­dors and tech­nol­o­gy providers, the peo­ple who make ther­mostats or indus­tri­al con­trol sys­tems for pow­er util­i­ties or inter­net-enabled tele­vi­sions, are real­iz­ing that the soft­ware that they pro­duced in the past was eas­i­ly hack­able and is now being hacked,” Wyatt says. “And as a con­se­quence of that, they’re going back and mak­ing sure that the soft­ware that they built is sol­id and isn’t eas­i­ly hack­able anymore.”

That’s kind of where we are, folks. Expect attacks to rise, and expect com­pa­nies to get smarter about core secu­ri­ty issues, like appli­ca­tion security—but only if and when con­sumers demand it. For a deep­er dive into this con­ver­sa­tion, please lis­ten to the accom­pa­ny­ing podcast.

More sto­ries relat­ed to soft­ware security:
Secu­ri­ty must be part of device design as Inter­net of Things evolves
Pair­ing of DevOps and cyber­se­cu­ri­ty coor­di­nates strengths of both
To get ahead of threat curve, boost secu­ri­ty dur­ing soft­ware development