Synopsys software security event in Bangalore: "Software risk is business risk"
There is a clear shift in business application software development industry, where the programmers are writing codes following processes supporting built-in security and using latest technologies to make their code robust and secure. Late wake up by this industry, but it is necessary. Synopsys conducted an event titled "Synopsys Software Integrity Group User Event 2023" in Bangalore on 20th July 2023, to bring on the experts and software engineers in this industry to share the latest trends in AppSec and DevSecOps domain to business software development community. Synopsys is more into electronics design software, a company firmly rooted in highly reliable software development taking safety, reliability and security as high priority since it founded.
Security and reliability is most important aspect of any software application, more than the features and benefits. Highly feature-rich and beneficial software, but venerable to hacks is a bubble in waiting to burst causing significant losses to business who are leveraging those feature-rich software with unexposed security bugs and vulnerabilities. Fixing the deeply embedded and threaded security-bugs may turn into a nightmare, post the attack. So it's not prevention alone, programmers need to adhere to strict processes and use of technologies at very initial stage to ensure code is built with all the security checks done with no weak link. This kind of approach needs conscious security awareness by every person building the software. In that sense, security is not just a layer but present at every stage.
The event kick started by interesting session from Richard Kirk, Vice President of International Sales, Synopsys Software Integrity Group. Richard, an experienced programmer and a software security expert shared to the audience how the software risk is business risk. The impact of software failure on business is huge; it can be a Tsunami which can completely wipe-out the business.
Pic above: Richard delivering his talk.
Here are the key points and excerpts from his session:
Software risk is fundamentally a business risk. Software industry has come across a long way where in the initial days, on Internet people not bothered who is behind the keyboard and mouse to today's privacy concern, identity theft and identity personification.
Richard gave an example of Concorde air crash, killing all people on board due to plane hitting debris on the runway. This was an example of performance over safety. That one accident has wide repercussions on the airlines industry. That was an example of business risk. He said "in today's cyber software system, how do you find the bug and relate it to business risks involved. You must be extremely careful in handling this risk due to wide implications, a cyber security incident can lead to. Because it can cause huge damage to your software product reputation, huge system cost, and downtime."
The best of fixing problems is by taking the path of security by design. Things may be different for each industry such as finance, healthcare, etc..
In some cases, application software may be safe but not the networks, so in that case you got to find ways to manage that situation. So security should be provided by looking at all the weak links.
In today's world every business and every company is software dependent. Seamless interaction between security experts and software programmers is necessity, programmers work on deadlines, they need to consider security so that there is no business risk with the software. Present systems are so integrated with software featuring online shopping, online payment and such online business transactions. Day-in and day-out, software is very integral in every aspect of life.
In a physical world, every component getting into the machine or equipment is given a number and tracked source , specifications and other details, throughout the life of the product. That information is called bill of materials (BOM). So that if any accident or any failure happens to that machine or equipment, the whole bill of materials will be looked into to find a culprit part.
Similarly there is a concept of software bill of materials, where all software components are tracked. Managing Supply chain of such software components becomes important. Your BOM may involves open source components as well as proprietary components.
The complexity of software is rising. Initially the semiconductor inventors were involved in software development, now the software is everywhere and more and more software is developed the complexity rising. Unfortunately the hackers are getting more sophisticated with more resources.
Richard said "All of us have very important responsibility to the wide community making sure that the software you can trust."
After the session, In a one to one interaction with him, Here are some more key points and comments made by Richard on the below subject of my questions:
Security should be everyone's concern not limiting to software development team and security alone. Security is not just a separate team, programmers need to be thoroughly trained as part of their academics. One of the challenge we have in software is it is intangible, you can't put your fingers on it. But if you go to a car factory, you see everything if something breaks you see on the floor, in case of an accident you see the consequences. The software is intangible, because it is invisible. If you look at manufacturing world or physical engineering world, there is lot of action, we can learn from that. In 70s and 80s total quality management was very big topic. Quality, safety and security was topic for everybody. In building sites, there will a big sign displaying the number of accidents happened in last 100 days or so on when was the last accident happened. They do it because every worker walking through the gate to have security as number one concern, again it is tangible. In the software world which is intangible, to solve the security problem it should be everyone's responsibility. But the challenge in the first 10 to 15 years of software security, there was always a divide between the software developers and security people. And the security people will tell you that there biggest challenge is getting developers to adapt tools and processes.
Gullible smartphone users receiving personal data enquiring messages from unknown and risky sources:
It is more to do with government regulations. If you take a car most countries have got safety and security regulations. If your car has a failure due to manufacturer fault or design fault, the manufacturer has obligated to do something about that. As first step of safety they have to answer and tell you about the fault, and they have to do that by law. In security world we have a saying that the security persons had to get lucky hundred percent of times, and the bad actor has to be get lucky once, that's it, they are in, they can do whatever they like. In a situation what you're talking about, a phishing attack, the software can only go so far, what you can do is you can make sure that if a phishing attack allows somebody to gain some credentials, that the software is robust enough to deal with somebody using credentials. And there are different ways to do that. And make sure that data leakage doesn't happen in the first place. The only reason somebody targets you because they know something about you such as phone number and some information for targeted phishing attack. That's how ultimately data breach happens. It's a combination of weakness between the network and the software.
In case of data breaches, in many places there is no requirement of notifying the people that there was a data breach, there may be requirements to make the public disclosure but there is no requirement to necessarily tell you that your data was in the breach. And that is something which has to be resolved. Otherwise the bad actors always going to find around.
Security weaknesses in the Operating Systems and the cloud:
When you have a system designed with open source, it is harder to control. Whereas, if you have a system which is designed in closed doors, you have total control of things. It is possible to make applications in cloud extremely secure, but you need resources, expertise and right effort to make it. In the open source, lot of software companies are developing applications but if you don't put right controls in place, other people may assume that they have in place.
Tool and technologies for ensuring security.
Like how the whole industry is getting automated leveraging software. Software development is also getting automated with less manual tests. Synopsys offers range of tools to automate software testing for security. Richard was explaining Synopsys tools are extensively used in API testing in smart phones apps and many online transaction enabling software.
He also pointed out that latest software programming languages embed more security features compared to older languages.
Though this was first event by Synopsys on software security, it was well attended by programmers and experts in the industry.
Naresh Choudhary, Vice President, Infosys spoke about security in software development in today's situation where AI and opensource started taking bases. Software engineers from Infosys were well present at the event.
Pic above: Naresh Choudhary delivering his presentation.
Pic above: Author with Richard Kirk.
Author: Srinivasa Reddy N