Have you implemented a process to ensure security?
June 26, 2015
Last time, we chatted about the #1 problem for security in the embedded world - there simply isn't one overarching governing body that oversees securi...
Last time, we chatted about the #1 problem for security in the embedded world – there simply isn’t one overarching governing body that oversees security. As the world becomes increasingly interconnected, this factor is going to pose more and more problems down the road.
However, there’s good news: processes are already in place that have led to fantastic results in ensuring secure, high-quality software. The bad news: few companies are using them. Ask the majority how their software was developed, and you’ll hear a version of, “We downloaded a piece of free software from the web, loaded it onto our servers, and used that to protect yours and my data.”
Clearly, this is not acceptable. Sure, it may take a little extra investment and legwork at the beginning, but it’s worth it – and I think you’d agree that we can’t afford not to, especially when it comes to protecting personal data.
The aerospace, industrial, medical, and transport industries, for example, already use software processes, which are defined by IEC 61508 and other similar standards. Research reveals that following an appropriate process reduces defects significantly, and in many cases, can even reduce the cost of software management over its life cycle.
Now, obviously, we don’t all need to adopt the full safety standards of the aerospace industry. Such rigor is not feasible, nor necessary for most developing organizations. However, by taking a cue from other industries and applying the relevant processes, we can go a long way toward improving security. The standards bodies have already started doing this. The standard used in the medical industry, for instance, originated in the standard for industrial control systems. There’s just no need to re-invent the wheel here – the processes already exist!
From requirements specification to coding standards, from dynamic and static code analysis to traceable test cases, there are a variety of measures that developers can take to ensure high-quality, secure software. The element that ties everything together, though, is the software life cycle. And, a life cycle is vital: not only does it specify a set of steps that make sure all the boxes are checked from concept to release, but it also introduces a process for change. As one element changes, there is someone in charge of what that change is going to affect. It’s easy to see how important this is when we’re dealing with personal data.
Since there is no governing body overseeing security, the responsibility falls in the hands of developing organizations. By doing a little homework beforehand, working together to learn what works, and implementing processes already in place, we can look forward to a future of developing high-quality, secure software in an increasingly interconnected world. Of course, it’s not a cure-all for all security issues: careful thought to software design can also go a long way toward minimizing risk, too, which we’ll explore next.
Dave Hughes is the CEO and founder of HCC Embedded, a developer of re-usable embedded software components. Dave is a “hands-on” embedded specialist, who still actively contributes to the strategy and direction of HCC’s core technologies. His extensive experience has made him one of the industry’s leading authorities on fail-safe embedded systems, flash memory, and process-driven software methodologies. He is a graduate of the University of Sussex in England.