Security by design: Embed protection during software development
Application security tests for vulnerabilities, teaches developers during earliest stages of software creation
By Byron Acohido, ThirdCertainty
There was at time 15 years ago when we fully expected the latest, coolest software to come riddled with aggravating bugs. Consumers were trained to expect that the software vendor would fix the glitches in version 1.1 or 1.2.
Software developers today remain under more pressure than ever to rush to market with the coolest functionalities. But those that do so create fresh vulnerabilities that cyber criminals pounce on to breach business networks and cause other havoc.
Factor in the ongoing shift into cloud computing and the rapid expansion of the Internet of Things, and the problem of loosely written software takes on profound significance—to the point of putting political systems, and even human lives, at risk.
Related video: The case for making software secure from the start
The good news is that there is a rising field of cybersecurity, referred to as “application security,” that has come on to promote a pattern of putting more forethought into developing new software with security built in from the ground up.
Silicon Valley-based software company Synopsys has jumped with both feet into the application security field. With 10,000-plus employees and $2.4 billion in annual revenue, Synopsys is the U.S. software giant most folks have never heard of.
The company got started in 1986, spun out of General Electrics’ research branch. It then proceeded to help pioneer the software tools used for designing the integrated circuits and circuit boards at the core of digital commerce as we know it today.
Now Synopsys is staking out turf in the burgeoning cybersecurity market. It recently formed a business unit, called the Software Integrity Group, by acquiring a string of companies doing work in application security—the pursuit of embedding security features as early as possible in the development of business software, even down to the chip level.
Related podcast: Why ‘DevOps’ and application security testing go hand-in-hand
Synopsys’ buying binge toward this end has included Coverity, Codenomicon, Seeker, Protecode and, most recently, Cigital and Codiscope. At RSA 2017, I had the chance to meet with Andreas Kuehlmann, senior vice president, and John Wyatt, vice president of security consulting, respectively, for Synopsys’ newest business unit. A few takeaways:
New paradigm needed. The software industry is notorious for developing commercial applications as rapidly as possible, with as many bells and whistles as possible, with little, if any, regard for the security implications. Part of that is due to the fact that software development is an immature discipline, when compared with, say, mechanical engineering, Wyatt says. But the arrival of the Internet of Things has raised the stakes considerably.
“In the past, software security was mostly focused on the enterprise space. So if you think about banks, they were the first ones attacked, then retail stores and insurance companies,” Kuehlmann adds. “Now we see the advent of IoT where security is not only an issue of whether a credit card number is stolen, it is now people’s health that is impacted. If the car gets hacked, you can actually hurt someone, you can create an accident.”
Deeper attacks. Network probes, and breaches, have become a fact of everyday business life. And even as companies spend more to beef up defenses, cyber criminals are probing for, and attacking, vulnerabilities lurking deeper in company networks.
Wyatt notes that two-thirds of breaches trace back to vulnerabilities that were introduced in the application software. “So we test the software for people who are either building it or buying it or storing it,” he says. “And then we teach the people who built that software to do it correctly, so it’s not hackable.”
This involves hardening programs from the ground up. Says Kuehlmann: “We focus on applying technology and processes in the development of the software to build security in, getting it right from the beginning rather than being sloppy in development and having a lot of vulnerabilities that you have to then fix later on.”
Onslaught has begun: Attacks aimed at the Internet of Things have started. As consumers bear the brunt, the companies rushing internet-connected devices and services to market will be compelled to shore up security.
“What’s happening is software vendors and technology providers, the people who make thermostats or industrial control systems for power utilities or internet-enabled televisions, are realizing that the software that they produced in the past was easily hackable and is now being hacked,” Wyatt says. “And as a consequence of that, they’re going back and making sure that the software that they built is solid and isn’t easily hackable anymore.”
That’s kind of where we are, folks. Expect attacks to rise, and expect companies to get smarter about core security issues, like application security—but only if and when consumers demand it. For a deeper dive into this conversation, please listen to the accompanying podcast.
More stories related to software security:
Security must be part of device design as Internet of Things evolves
Pairing of DevOps and cybersecurity coordinates strengths of both
To get ahead of threat curve, boost security during software development