Society, having moved from an industrial age to the birth of the internet is now truly an era where software has become the most critical aspect of our modern world. In earlier times, manufactured products left the factory with just a single purpose, now, through updates via the internet, products evolve or play host to the 4.5 million apps available on platforms from Google, Apple and Microsoft and with mobile phone usage continuing to rise, software looks set to continue to play this role for some time into the future. From national infrastructure to banking and even the cars we drive, software is vital for our health, safety and wellbeing.
Rise of IoT makes software assurance more vital
With analysts suggesting that there will be 50bn Internet of Things (IoT) devices in use by 2020, the current playbook for IoT development is still immature. For example, there is currently no common IoT platform; instead there are several top tech companies competing to own the IoT platform of choice but securing that platform seems to be of secondary importance, if that. As witnessed by recent DDoS (distributed denial of service) attacks that hijacked smartphones and a range of vulnerabilities in consumer electronic devices, there is not enough attention being paid to securing IoT devices.
Take the case of the Smart TV, arguably one of the most popular and commonplace of the connected devices in our homes today; they are effectively mini-computers with WiFi access and applications that need users to input their personal information such as email IDs, phone numbers, full names etc. Because there are no regulations when it comes to Smart TV apps, hackers can easily access the file I/O and the screen/app control API. In many cases, Smart TV apps are running with complete “root” access. Of course, hackers can capture and use the homeowners personal information but it doesn't necessarily stop there, company laptops on the home WiFi that's been hacked through the Smart TV poses a threat to the company the homeowner works for. Furthermore, last year, students at the University of Alabama managed to hack the pacemaker in a robot used for medical training students enabling them to theoretically kill that 'patient'. Unsurprisingly, there is now a palpable fear that a major category of IoT products embedded within a life-critical application such as health, CNI or automotive is vulnerable to a major attack through sheer negligence in software security.
IoT security will be enhanced
Over the next few years, Industry groups and regulatory framework within automotive (Misra) and healthcare (HIPPA), backed by governmental agencies, are likely to expand their role in ensuring that the software embedded with IoT devices adheres to an agreed level of security and compliance. Organisations and especially device vendors need to plan for this change and start considering how to build a secure software development cycle.
Preparation for the introduction of the EU GDPR
The European General Data Protection Regulation (GDPR) was passed in April last year and comes into effect in March 2018 and will affect any organisation handling the data of any citizen in any EU country. So, even though Britain has voted to leave the EU, British companies who have customers in other EU countries will still need to prepare for the introduction of the regulation. Although each country will have a national body to doll out fines for breaches, the fines have been confirmed to be up to four per cent of global annual turnover in the event of a data breach, So, rather than risk such a hefty fine, businesses should be shoring up their security in 2017.
Augmented reality (AR) and virtual reality (VR) risks
VR and AR have both had a big 2016 and will likely reach mass market in 2017 and as a result, developers will be racing to build software for emerging platforms like Oculus and Microsoft Hololens. During this rush, proper application security practices may not be properly adhered to with developers or vendors choosing to get to market first and patch security issues later. This lack of focus on security introduces vulnerabilities to the end user which, when exploited, may allow access to the users' camera, microphone, and in some cases even spatial mappings of their environments.
Secure development skills shortage
The lack of secure development awareness centres on the skills shortage that organisations are facing. The situation is getting worse according to Symantec CEO Michael Brown, "In 2015, more than 200,000 cybersecurity job positions went unfilled, a shortfall that is on track to increase to 1.5 million by 2019.” To address this issue, the industry needs to stop applying a bandage and start treating the patient which means dealing with the underlying problem of poor security within software code. Developers will become more empowered and receive the right training and tools to deliver software that has less vulnerabilities. Education of developers is paramount to plugging the AppSec skills gap and encouragingly, 48 per cent of respondents to the survey for the recent SANS Future of Application Security report point to training developers as one of the top three AppSec processes. By 2020, we will see more universities introduce secure development courses and developers will be measured not just on the functionality and the speed of app delivery but also how secure their code is in relation to measureable standards.
Amit Ashbel, cyber security evangelist, Checkmarx
Image source: Shutterstock/niroworld