HINT: They Don't Work In Your Organization:
In general code security often gets overlooked and when it comes to embedded software, code security has long taken a back seat to code quality. But there are plenty of people who do care about code security and are testing the security of your code. Unfortunately, most of them don’t have your interests in mind.
Code security is based on secure coding practices and writing applications that are resistant to attack by malicious or mischievous people or applications. Secure coding helps protect a user’s data from theft or corruption. Also, an insecure application will allow an attacker to take direct control of a device or provide an access path to another device, resulting in anything from a denial of service to a single user to the compromise of secrets, loss of service, or damage to the systems of thousands of users.
Secure coding is important for all software; whether you write code that runs on mobile devices, personal computers, servers or embedded devices, you should become familiar with the techniques and tools to support this practice.
Are You A Target?
Every application is a potential target. Attackers will attempt to find security vulnerabilities in your applications, firmware or operating systems. They will then try to use these vulnerabilities to steal secrets, corrupt applications and data, and gain control of computer systems, networks or computer-controlled devices. This type of exploit can put property, data and lives at risk.
Security is not something that can be added to software after the fact; Just like adding a deadbolt to a door made out of cardboard won’t make it more secure, an insecure device or application may require extensive redesign to secure it. You need to identify and understand "threat vectors" or the nature of the threats to your software and address them by incorporating secure coding practices throughout the planning and development of your product.
Hackers and Attackers…
The term hacker usually carries negative connotations, but within the computing community, the term refers to an expert coder—and is someone who likes the challenge of examining the intricacies of code or an operating system. In general, hackers are not malicious or criminals. Often when hackers find security vulnerabilities in code, they provide information to the organization that’s who wrote the software so that they can fix the problem. Some companies are now even offering a bounty reward to hackers who find bugs in their software. However, some hackers—especially if they feel their warnings are being ignored—publish the vulnerabilities or even devise and publish exploits (code that takes advantage of the vulnerability).
The malicious hackers who break into applications and systems to do damage or to steal something are usually referred to as attackers or black hats. Most attackers are not highly skilled, but take advantage of published exploit code and known techniques to do their damage. .
Attackers have a variety of motives, some may be looking to steal money, information identities, and other secrets for personal gain; corporate secrets for their employer’s or their own use; or state secrets for use by hostile governments or terrorist organizations. Some hackers break into applications or operating systems just to demonstrate their skills and gain bragging rights; but nevertheless, they can cause considerable damage. Because attacks can be automated and replicated, any weakness, no matter how slight, can be exploited.No Device Should Be Considered Safe
Devices and applications are constantly under attack. With increasing regularity, black hat hackers find new vulnerabilities and publish exploit code. Criminals and malcontents then use that exploit code to attack vulnerable systems. And the hackers have an increasingly easier time finding devices to attack. Using tools like Shodan, a search engine that lets the users find specific kinds of devices (routers, servers, etc.) connected to the Internet using many different types of filters. Some of the types of things that can be found using Shodan have included Caterpillar trucks whose onboard monitoring systems were accessible, heating and security control systems for banks, universities, and corporate giants, surveillance cameras, and fetal heart monitors
Also, security researchers and white hat hackers have found vulnerabilities on a variety of systems that, if exploited, could have resulted in the loss of data, allowing an attacker to steal secrets, or enabling an attacker to run code on someone else’s computer.
A large-scale, widespread attack isn't required to cause monetary and other damages; a single break- is adequate if the compromised device contains valuable information or controls critical systems. Although major attacks of viruses or worms get a lot of attention from the media, the exploitation of a single device often goes unnoticed and can have a significant impact on a person or business
Time is The Enemy
Hackers have the luxury of time, expertise and computing resources and may find vulnerabilities in software that was released years ago. Because of this constant threat organizations need to care about security the way they have cared about quality and give developers the training and tools to deliver reliable, safe and secure code.
For more information on how to improve code security check out the white paper ADDRESSING SECURITY VULNERABILITIES IN EMBEDDED APPLICATIONS USING BEST PRACTICE SOFTWARE DEVELOPMENT PROCESSES AND STANDARDS and start protecting your applications