In his syndicated Software Integrity Blog, Jonathan Knudsen of Synopsis, recently made a case for why software should be considered critical infrastructure. He points out that the U.S. recognizes 16 sectors of critical infrastructure that are acknowledged crucial to national economic security and public health. Other countries have similar lists. The most important sector, says Knudsen, is Information Technology, as it is at the intersection of the foundations upon which every other sector is built upon. So why, he asks, “do we see a persistent parade of headlines about data loss, system compromise, and failures?”
Knudson points out that software vulnerabilities are an attractive attack vector for hackers as modern systems are extremely complex and fertile ground for exploitable vulnerabilities; cyber-attacks over the Internet provide a degree of anonymity and safety to the attacker; and cyber operations are cheaper and faster than physical operations. In a nut shell, he notes that for cyber attackers, the required effort is low, risks are minimal, and rewards are high.
The Institute for Critical Infrastructure Technology (ICIT), a Cybersecurity Think Tank, makes a similar case. In a white paper published in April 2019, Software Security is National Security | Why the U.S. Must Replace Irresponsible Practices with a Culture of Institutionalized Security, the ICIT concludes that a lack of software security is a national threat. Today, they say, “software runs the world. PCs, mobile devices, the cloud, the Internet of Things, operational technology, vehicles, appliances, utilities and nearly every modern device runs on code.”
The white paper notes that an estimated 84% of security breaches exploit vulnerabilities in the code at the application layer, making it a most attractive attack point. To understand the magnitude of vulnerabilities that may exist in code, NIST Fellow Dr. Ron Ross, said that “for an application with 50 million lines of code (LOC), assuming the empirically found rate of 4.9 flaws per 1,000 LOC, the application will have between 2,400 to 12,200 potential security vulnerabilities present at release.”
These statistics certainly make a case for secure-by-design development principles to minimize potential vulnerabilities in the code and mechanisms to protect the code that’s already out in the field or about to be launched.
Secure by Design is increasingly becoming the mainstream development approach to ensure security and privacy of software systems. In this concept, security is built into the system from the ground up and addresses the cyber protection considerations throughout a system’s lifecycle. This includes security design for the identification, protection, detection, response and recovery capabilities to strengthen the cyber resiliency of the system.
A number of global industry associations and security vendors, like Wibu-Systems, have proposed security standards and software development frameworks, all based on the core security by design foundation. A good software security reference document was released earlier in the year by BSA | The Software Alliance. The report, The BSA Framework for Secure Software: A New Approach to Securing the Software Lifeycle, provides a common organization and structure to capture multiple approaches to software security by identifying standards, guidelines, and practices that can help software development organizations achieve desired security outcomes while accounting for the wide spectrum of intended uses, risk profiles, and technological solutions among software products.
Examples of real-world use cases for software security solutions can be found in this document, Security 4.0 by Default and Growth 4.0 by Design.
For more information on code protection, take a look at Wibu-Systems CodeMeter Protection Suite, which employs sophisticated encryption mechanisms to protect software from malicious attackers.
