557,903 active members*
3,521 visitors online*
Register for free
Login Register

Perfection in Protection, Licensing, and Security

Protect the Code: It’s a National Imperative

January 2020
Author: med_wibu-systems
Protect the Code: It’s a National Imperative

In his syndicated Software Integrity Blog, Jonathan Knudsen of Synopsis, recently made a case for why software should be considered critical infrastructure. He points out that the U.S. recognizes 16 sectors of critical infrastructure that are acknowledged crucial to national economic security and public health. Other countries have similar lists. The most important sector, says Knudsen, is Information Technology, as it is at the intersection of the foundations upon which every other sector is built upon. So why, he asks, “do we see a persistent parade of headlines about data loss, system compromise, and failures?”

Knudson points out that software vulnerabilities are an attractive attack vector for hackers as modern systems are extremely complex and fertile ground for exploitable vulnerabilities; cyber-attacks over the Internet provide a degree of anonymity and safety to the attacker; and cyber operations are cheaper and faster than physical operations. In a nut shell, he notes that for cyber attackers, the required effort is low, risks are minimal, and rewards are high.

The Institute for Critical Infrastructure Technology (ICIT), a Cybersecurity Think Tank, makes a similar case. In a white paper published in April 2019, Software Security is National Security | Why the U.S. Must Replace Irresponsible Practices with a Culture of Institutionalized Security, the ICIT concludes that a lack of software security is a national threat. Today, they say, “software runs the world. PCs, mobile devices, the cloud, the Internet of Things, operational technology, vehicles, appliances, utilities and nearly every modern device runs on code.”

The white paper notes that an estimated 84% of security breaches exploit vulnerabilities in the code at the application layer, making it a most attractive attack point. To understand the magnitude of vulnerabilities that may exist in code, NIST Fellow Dr. Ron Ross, said that “for an application with 50 million lines of code (LOC), assuming the empirically found rate of 4.9 flaws per 1,000 LOC, the application will have between 2,400 to 12,200 potential security vulnerabilities present at release.”

These statistics certainly make a case for secure-by-design development principles to minimize potential vulnerabilities in the code and mechanisms to protect the code that’s already out in the field or about to be launched.

Secure by Design is increasingly becoming the mainstream development approach to ensure security and privacy of software systems. In this concept, security is built into the system from the ground up and addresses the cyber protection considerations throughout a system’s lifecycle. This includes security design for the identification, protection, detection, response and recovery capabilities to strengthen the cyber resiliency of the system.

A number of global industry associations and security vendors, like Wibu-Systems, have proposed security standards and software development frameworks, all based on the core security by design foundation. A good software security reference document was released earlier in the year by BSA | The Software Alliance. The report, The BSA Framework for Secure Software: A New Approach to Securing the Software Lifeycle, provides a common organization and structure to capture multiple approaches to software security by identifying standards, guidelines, and practices that can help software development organizations achieve desired security outcomes while accounting for the wide spectrum of intended uses, risk profiles, and technological solutions among software products.

Examples of real-world use cases for software security solutions can be found in this document, Security 4.0 by Default and Growth 4.0 by Design.

For more information on code protection, take a look at Wibu-Systems CodeMeter Protection Suite, which employs sophisticated encryption mechanisms to protect software from malicious attackers.

Blog Archiv

August 2022
July 2022
June 2022
April 2022
March 2022
February 2022
November 2021
October 2021
September 2021
August 2021
July 2021
June 2021
May 2021
April 2021
March 2021
February 2021
January 2021
November 2020
October 2020
September 2020
August 2020
July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
October 2016
September 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016