5 Trends in Software Security

2015 brought a number of high-profile security breaches, putting company and consumer information at risk. Ashley Madison, VTech, even the Department of Health and Human Services had their data compromised.

It could have been avoided.

You've heard this before, but companies like DCG, and my company, proServices, will continue to bring it up until security is taken more seriously. The first step is staying aware of the latest security threats in order to appropriately ward them off. But, as one risk dies out, another will always take its place.

Risk Management

Download this white paper to learn the top 5 vulnerabilities of 2015 - and what's on the horizon for 2016.

Download

 

Rob Cross
PSC, Vice President

Written by Rob Cross at 05:00

Software Quality ZZZzzzz … Boring!

Rob CrossEnjoy today's guest post from PSC Vice President, Rob Cross!

For over a decade PSC has analyzed and scrubbed code for quality defects. Yet, it’s almost a standing joke in the industry that software quality is still a “nice to have” and not a “need to have.” For example, we recently met with a prospective customer who, during the initial meeting, informed us that he knew his organization’s software had many flaws in it. However, sales had not been negatively impacted and customers were okay with being inconvenienced by buggy software as long as they had access to great support, where their voices could be heard and problems eventually addressed. If this example is as irritating to read as it was to write, then you have some context for what happens next.

Me: Guys, I understand you’re doing what has always been done in the past, but eventually such practices will catch up to you. Perhaps you should seize the opportunity to build more reliable and secure software. This would help you to to strengthen your brand and increase engineering productivity and efficiency, leading to higher profits and less risk.

Prospect: We’ve made investments in the past by buying several tools for our engineers, which provide us with defect information.

Me: So you have trained every engineer in how to use the tool, purchased enough licenses for all of them to access the tool, integrated use of the tool into your processes, hired an administrator for the tool, have regular training sessions for the tool, developed or subscribed to a coding standard, produced reports capturing the flow and accountability of the data throughout this process and provided management a view into this so that they can make decisions? Is that what you mean? And one more thing, how do you get a guarantee from your engineers that they will never compromise on this process?

Prospect: The reality is that we put up a good fight, but our engineers are stretched too thin. The only thing that is guaranteed around here is that our engineers will be distracted daily with fire drills from our support team to fix a critical defect found by our customers. We don’t have the time, focus or energy to do the stuff you’re talking about, but we make the best effort.

After explaining that PSC does all of the above as a turnkey solution and guarantees the results, the prospect decided that it didn't need help for now. With its next huge release scheduled for the following month, it felt that it couldn't spare the cycles.

Quality is Really Boring

I understand looking through your own code is not fun. That’s why every writer has an editor. Writers love to create new things for people to experience and hate reading their own stuff for quality or issues – but there is still a process in place for oversight. Why do we treat our software developers any differently?

If you gave a software engineer the option to work on the next new “hot” release or spend the next two weeks peer reviewing software from the last release, which do you think he or she would choose?

Quality might be boring; however, its importance is core to a company’s brand in every way. In many cases, your software is your brand because it powers the products or delivers an experience your customers will remember and associate with your brand. It costs your company millions of dollars every year to acquire new customers and keep your existing ones, but you can lose them in less than one software glitch.  

Net-Net

It is sometimes a tortuous existence being an advocate for software quality, but life doesn’t have to be that hard. There is a company out there willing to help. If the above story sounds familiar, please give us a call.


Rob Cross
PSC, Vice President

 

Written by Rob Cross at 05:00

Software Overkill and the Software Arms Race

Rob CrossThis past year I leased a new car, and it has all of the gadgets, sensors, widgets, "whatchamacallits" and "doohickeys" you see on the commercials. I'm certain this thing has millions of lines of code piping through it at light speed when I turn the ignition ... WAIT! I just forgot ... I don't turn a key anymore, I now push a button. When I shift the car into drive ... WAIT! I just forgot ... I don't shift anymore, I now push a button. In fact, while it’s moving, this vehicle is monitoring everything from the outside temperature, to my seating posture, to a 360-degree picture of where it is in relation to other cars on the road and the road itself. I'm amazed at the advances in vehicle technology in the past five years and a bit frightful of the ones coming in the next five years.

I recently watched the 60 Minutes expose on self-driving cars, where they interviewed the heads of automotive self-driving car development from Mercedes-Benz and Google. You can watch it here. (By the way, how does an internet search company get into self-driving cars? I'll save that for another time.) The car they were driving … oops, I mean the car that was driving them … has traveled 20,000 miles without an accident. That's impressive. Sure, there are some shortcomings with the car. The technology can't handle snow. Google's cars can't operate in heavy rain. The Mercedes S500 can't decipher hand gestures from traffic cops or pedestrians. These problems were all claimed to be solvable over time.

The Driverless Car Arms Race      

UBER, Google, Audi, Tesla, Mercedes-Benz and others are investing in technology to move as fast as possible towards a driverless model. I remember as a kid being envious of George Jetson's capsule car but never thought autopilot in vehicles would come true in my lifetime. What's the rush? Well, these companies claim that having a driverless society would make the roads safer, and I believe them, but that would mean adoption would have to be 100 percent. The most unpredictable element on the road today is the human, and we are trying to engineer them (us) out of the equation.

What's to Come?

If you know how to write software or how to be a part of the software development ecosystem, then you should be gainfully employed in Detroit or in other high-tech companies looking to move in this direction for the rest of your life. Most of the innovation to accomplish this will have to be in software.

You know what's coming next, right? Government regulation. Which, by the way, I'm a fan of in this case in order to hopefully hold these companies accountable for meeting software safety standards that other industries have to comply with, like aviation. What's the difference between a jet plane on autopilot and your car being on autopilot, and why shouldn't the two be held to the same standards?

Respect the Human

I get it. Cars driving themselves are safer. This would allow us to do more productive things with our life, such as bury our heads further in our smartphones to catch up on Facebook or play a vicious game of Candy Crush.

Personally, driving a car is an emotional experience. You are in control of your freedom knowing that you can drive almost anywhere.

Software Quality and Security

Did you really think I would write all of this without mentioning the importance of software quality and security? I don't believe traditional car manufacturers understand the investment it will take to ensure the quality and security of software going into these vehicles. They have to evolve, from their operations to their culture. I openly admit companies like Tesla, Google and even Apple (if they decide to build the "iCar") have an advantage because they see the car as a software platform that you plug hardware into. Unfortunately, others view it the other way around and will have a hard time getting out of their own way.    

In the meantime, I have turned off my lane departure warning and forward collision warning sensors because of too many false-positives. My passengers think perhaps it's my aggressive driving. They might be correct, but at least it's still my decision if I want to exceed the speed limit, beat another car off the line at a stop light or get to my destination 15 minutes early. That's right! It's my freedom of expression through driving! So get your “vroom vroom” on while you still can, before the autobots take over the roads and your garage.  


Rob Cross
PSC, Vice President

Written by Rob Cross at 05:00
Categories :

Volkswagen Emissions Software Scandal

Volkswagen software“Volkswagen says 11 million of its cars have emissions-test-beating software.” – Fox News.

According to an NBC report, the U.S. Environmental Protection Administration (EPA) announced that Volkswagen had surreptitiously equipped its diesel vehicles with software designed to recognize when those products were being tested on a dynamometer, essentially an automotive treadmill. In such a situation, the full complement of emissions controls systems would operate at their maximum, bringing the vehicles into compliance with U.S. – and even tougher California – emissions standards. But once the testing was over, according to the EPA, the vehicles would change over to a different mode, effectively allowing emissions levels to increase by as much as 40 times.

I have to admit, I’m impressed with the simple, yet sophisticated software embedded in these vehicles. The engineer that developed the Volkswagen software to beat emissions testing equipment should never be without work again, after inevitably getting fired from VW in the coming days, and I’m sure he’ll just be the first of many up and down the management chain. I can think of many cyber security firms who would hire this individual for their hacking/malware skills. To build a piece of software that detects the type of equipment it’s interfacing with and, in real time, adjusts the performance of the vehicle before going dormant is brilliant.

Is it or Isn’t It “Malware??

Calling the undocumented feature “software” might be incorrect, as many would label it “malware.” According to Kapersky Labs’ malware definition, “[Malware] is short for malicious software and refers to any computer program designed to do things that are harmful to or unwanted by a computer’s legitimate user,” so Volkswagen’s “emissions software” may indeed be “emissions malware.”

THE CASE FOR – Clearly the intent was to purposefully bypass testing equipment and put the car into a mode where performance was stellar. If the vehicle’s tuning was in a state of low performance prior, then turned to maximum performance during the test, to only return to low performance, then it’s hard to argue there wasn’t malicious intent. From the reports, it seems like this was the case; therefore, I believe we have been duped.

 THE CASE AGAINST – Now I will embrace the merciful side of my personality. Perhaps said brilliant engineer wasn’t so bright and built a piece of software for Volkswagen’s internal emissions testing purposes, to determine vehicle maximum performance settings by country for shipment. Again, a great test program to determine this, but perhaps it’s a sign of something different, like a flaw in their process. Maybe this software was loaded into the vehicle’s test build via their configuration management system but wasn’t excluded from their production build for shipment. If this was the case, then the engineer who built the code might be off the hook, but the process and config management people would be in the hot seat. Another possibility is a flaw in the code logic. Maybe the intent was that after maximum performance was determined, based on how the car was tested, it was supposed to use that “state” as the default versus regressing back to a low performance as the default. It might be a case of missing logic. Sounds like a great case for a software testing firm to take a look at the code to see if intent can be determined from the fingerprints in the code.

Ultimately, the classification of this little beauty inside Volkswagen’s cars will be left up to the courts and lawyers, but regardless of the final outcome, Volkswagen is paying for what comes down to a software quality issue.

What’s the So What?

Software is eating the world and the sooner automobile makers realize this, the better off we all will be. The days of driverless cars are coming faster than we think, and from collision warning sensors to infotainment, your car’s software is exponentially more complex than the hardware it rides on. This means that automotive cybersecurity is a mounting issue that will need to be addressed.  

News outlets are reporting that VW has reserved as much as $7B to clean this mess up, and their stock price dropped 17% yesterday, resulting in a loss of billions in value to shareholders for what could have been a faulty or missing code logic, mismanagement of files/builds or intentional malware loaded onto vehicles without management knowing. Either way, the days of software being treated like a second-class citizen inside auto companies are gone. Auto executives need to dial in their awareness of software security, cyber and quality defects if they don’t want their lunches to be eaten by the likes of Tesla, who puts software first.


Rob Cross
PSC Vice President

Written by Rob Cross at 05:00
Categories :

An Open Letter to Apple ... From a PSC Summer Intern

proservices

This year PSC hosted a summer intern program, which included the opportunity to participate on the blog. As the first generation that is “fully connected” from birth, these young adults consider technology as another appendage and have much higher expectations for the products they depend on on a daily basis. The post below, from one of our interns, Dorothy, gives me hope that millennials care about their data and privacy – not just having the latest must-have gadget that’s available.

Dear Apple,

The announcement about your latest update has me anxiously awaiting your latest features and software – which have always had me in awe. I hear the rumors, see the spoiler videos and honestly cannot wait until the notification icon that lets me know the update is available appears above my settings app. However, after spending the summer working for a leader in software quality and security assessments, I cannot help but have a few questions that I am now dying to ask.

I would like to preface my questions by stating that I am well aware that these vulnerabilities that I’m about to mention can be found in the software of most phones, not just yours. Basically, they can be found in any internet-seeking device, including TVs and computers. But, I’m an Apple fan, so that is where my concern lies, and with the crazy amount of personal, vital information I keep on my iPhone 5s, it scares me to know that someone could instantly access my entire life if they got their hands on my phone.

So, I guess my concern is two-fold. First, Apple, what steps did you take with this update to ensure your software is up to the highest standard of quality upon release? Since you corrected yourself with roughly a-million-and-one “bug fixes” within the month after the original release, I (unfortunately) have to assume that your attempts for heightened quality are mediocre at best. I understand that designing such intricate software is no easy feat, but we, your loving buyers, expect the best from your team upon arrival. Not only do I have to delete almost my entire phone just to download the first round of your update, I have to continue this vicious cycle every time a new -.0.1 comes out. I want to know how you tackle quality and what you’re doing to offer improved quality with every release.

Another question I have is about the security. I have sensitive information on my phone for numerous accounts, some of which are highly sensitive. And let’s not forget about ApplePay (which I personally do not use, but many others do!). What is it that you do to protect this information? Millions of people use your phones – and with great risk. I would like to know that when I log into my email, or Facebook, and especially my checking account, that there’s little-to-no possibility of hackers getting their hands on my information.

What I’m saying is that I’m nervous that you’re not doing your best. As I have already stated, I am aware that these risks are possible with any and every phone on the market. So perhaps this is a letter to every phone company, not just you. But I’m an Apple lover, and I need to know that as your products are getting more and more advanced, you are accordingly raising your standard.

I can thank PSC for bringing the need for high quality, secure software to my attention, via my internship. At PSC, we provide our clients with the standard of excellence your products once provided. We can guarantee the quality and security of your future iOS updates, and we can guarantee that what you’re giving to your customers breaks the expectations they have set forth. You can change your ways, Apple – your brand depends on it.      

This is your call to action Apple, who are you going to call?

  - Dorothy

Dorothy, of course, is right! Companies like Apple have the opportunity to provide safe, secure, high quality software, but it’s up to them to make that happen. If customers continue to be disappointed by a company’s software, the brand will suffer (and a drop in revenue will likely follow). So, like I always say, we’re here to help. If your software is need of a boost, reach out to DCG or to us. Together we can help you produce the software that your customers deserve.


Rob Cross
PSC, Vice President

Written by Rob Cross at 05:00
Categories :

"It's frustrating that there are so many failed software projects when I know from personal experience that it's possible to do so much better - and we can help." 
- Mike Harris, DCG President

Subscribe to Our Newsletter
Join over 30,000 other subscribers. Subscribe to our newsletter today!