Security by design: greater need for governance?
8 March 2018
Hot on the heels of the French legislators, the government in the UK is now announcing tougher guidelines device manufacturers in its Security by Design review. Crucial here is the move to build security into smart devices from the very beginning and ensure software is automatically updated.
This approach is a major step forwards in the ongoing battle for software security, and if implemented across the board by businesses, will enable them to significantly mitigate risk.
Today, 80 – 90% of applications – including those crucial to the proper function of smart devices – are composed from reusable software parts called open source components.
While these parts play a vital role in driving innovation and powering the world as we know it, our analysis of downloaded open source components from the Central Repository found that in 2017 1 in 8 components downloaded by developers in the UK contained a known security vulnerability.
No other manufacturing industry is permitted to ship known vulnerable or defective parts in their products. Why should software manufacturers be any different?
Shipping known vulnerable software components in one’s product in any other manufacturing industry would be considered gross negligence. Connected toys and smartwatches, however, are only the tip of the iceberg.
If we factor in products such as connected pacemakers and driverless cars, this turns into a life or death situation. This isn’t even taking into account the increasingly connected nature of heavy manufacturing and utilities - industries that affect everyday life and have a huge impact on everyone no matter who they are or where they work.
Software security therefore cannot and should not be ignored. It’s great to see another example of the UK being right on the money from a legislative and consumer safeguarding standpoint, providing an example to follow and emulate.
The National Cyber Security Strategy 2016-2021 states that ‘Businesses and organisations decide on where and how to invest in cybersecurity based on a cost-benefit assessment, but they are ultimately liable for the security of their data and systems.’
Passing the onus onto device manufacturers to keep their devices safe and automate security is another step in the right direction for a safer, connected world. As attacks and breaches are often the result of easily exploited – and easily rectified – vulnerabilities, there is no excuse for other areas of industry not to implement similar governance policies.
The ICO went as far to fine Gloucester City Council £100,000 in June 2017 for not preventing a cyber-attack that exploited a very well-known vulnerability – Open SSL Heartbleed. And with GDPR around the corner, even heftier fines are likely to be imposed.
Fortunately, the challenges of vulnerable software components are easily solved by using a DevSecOps approach – a practice that smart device manufacturers should be adopting for software-based products. This enables security and governance to be automated from the start and implemented everywhere within a DevOps pipeline.
Instead of using manual reviews of code, which leaves businesses at risk of human error, DevOps practices can utilise machines to adjudicate all components. With these latest guidelines recommending that software be automatically updated, we expect to see more and more businesses implementing a DevSecOps approach.
Increased governance practices will become even more relevant this coming May when GDPR enforces the requirement to design security in from the beginning. For those not yet paying attention to software liability, now is the time.
Derek Weeks, VP and DevOps Advocate, Sonatype
Also of interest: 13 things SMEs need to do to keep lucky
Also of interest: Internet of Things ransomware on the rise