HINT: They Don't Work In Your Organization:
In general code security often gets overlooked and when it comes to embedded software, code security has long taken a back seat to code quality. But there are plenty of people who do care about code security and are testing the security of your code. Unfortunately, most of them don’t have your interests in mind.
Code security is based on secure coding practices and writing applications that are resistant to attack by malicious or mischievous people or applications. Secure coding helps protect a user’s data from theft or corruption. Also, an insecure application will allow an attacker to take direct control of a device or provide an access path to another device, resulting in anything from a denial of service to a single user to the compromise of secrets, loss of service, or damage to the systems of thousands of users.
Secure coding is important for all software; whether you write code that runs on mobile devices, personal computers, servers or embedded devices, you should become familiar with the techniques and tools to support this practice.
WHY BE RUGGED?
The rate at which software is being embedded into “things” is exploding. Manufacturers in the appliance, automotive, consumer electronics, and medical device industries are rapidly expanding
the use of embedded devices powered by software, making smarter products and adding new features and capabilities. To meet the growing demand for software and to keep up with rapidly changing business and consumer trends, developers are under pressure to write and reuse more code than ever, to deliver newer and better features, and to do it all faster. This evolution dramatically impacts the reliability, safety and security requirements for software- it needs to be Rugged, like never before.
ENCRYPTION IS NO GUARANTEE OF SECURITY:
Secure software (or the lack thereof) is a now a daily news topic and a major challenge for a growing number of companies who are increasing the amount and complexity of software in their products. Many software architects and developers lack training in security technologies and techniques and have only a rudimentary understanding of what should be done to improve application security. The urgency to improve application security has resulted in security being added to the requirements list in the form of features. This has resulted in feature requirements such as application firewalls, data encryption modules, and adding SSL to secure data flows. While these are all positive improvements; security features don’t do much to address some of the most prevalent security issues, which are the result of insecure code.
THE PARADOX OF SOFTWARE DEVELOPMENT:
It is somewhat paradoxical that many industries use software to automate and improve the delivery of products, yet the way software is often developed lags behind in the use of automation. Static analysis offers the promise of automation to improve the safety, security and reliability of software dramatically. However, purchasing a static analysis tool alone will not guarantee better software.
Are We On The Road To Ruin :
Shortly after Wired’s scoop about Jeep vulnerabilities and the consequent decision of Fiat Chrysler to recall 1.4 million cars in the US to update their software, it provides a glimpse into the future and highlights some issues that promise to be fairly common in the future of automotive (and all other connected smart "things" ).
Clear as Mud :
When it comes to working with code metrics, one of the least understood aspects seems to be cyclomatic complexity. To shed some light on the subject we need to examine function complexity measures, and specifically the correct basis for the well-known Cyclomatic Complexity (CYC) metric. I will take a deeper dive into this topic to offer a better
understanding of this key measure of code complexity.
As a PhD I chose the dissertation topic “Assessing and Improving Quality of Safety Critical Systems” which involved the development and assessment of software for safety critical railway systems with one of the biggest rail companies in the Czech Republic. This research project focuses on finding answers to questions such as: “How to measure quality of safety critical systems?”, “Which metrics are most suitable for quality assessment?” or “How to improve the quality of safety critical systems?” Any organization seeking to evaluate the quality of their systems using software quality models and automatic software metrics measurement -should consider
28 Clicks To Disaster:
Researchers recently found source code security flaws that allow an attacker to overcome the password security of Grub2 and take control of the computer – just by pressing the backspace key 28 times. This easily preventable defect has existed since 2009. How could this have been detected earlier? Why did this vulnerability that could have been easily prevented or fixed much earlier evade detection?
Is is Time to Reconsider Using Static Analysis?:
Static source code analysis is not a panacea for delivering high quality secure software. But many developers are quick to dismiss static analysis, often based on heresay, or experience with poorly designed tools or low-level bug catchers .
The old excuses are no longer valid for avoiding static code analysis
"What's past is prologue"
Networks, personal computers and servers have long been under fire from hackers and criminals leading to headline grabbing data breaches world wide and spurring massive investments in security technology. And cyberattacks are expected to increase further as devices from phones to appliances to cars become connected to the Internet.
THE HEADLINE YOU'LL NEVER SEE:
If you were expecting to read about a major scientific discovery on a new gene therapy to improve brain functions and reasoning skills to write error-free code -we’re sorry but you’re out of luck.
So what can we do to address the human element in the software development lifecycle? According to an independent study by UC Berkeley researchers “
Improving Reliability Safety and Security
We live in an interconnected world — people are interacting with machines and devices that are in turn communicating with each other- our lives and livelihoods now depend on software.
Software innovation is driving the creation of new products and markets, increasing the pressure on development organizations to deliver more features under tight schedules and budget – and unreliable, unsafe and insecure software is not an option.
This blog is intended to share insights and approaches to help organizations manage the increasing complexity of embedded software development and to launch secure, high-quality, feature-rich products, ahead of the competition