fThe Path to Software Security
Our lives keeping getting more connected every day, from the time we wake up in the morning, to when we set the alarm clock at our bedside at night, we are connected, using software for everything. Our cellphones today have more computational power than the computers who took man to the Moon in 1969. If like many Norwegians, you drive a Tesla, your car will probably have more lines of code than the software used on all connected devices you have at home. It gives us a perspective on how software and hardware evolved and how big and complex our systems are today.
In 2000, Gary McGraw and Greg Morisset wrote an article about the Trinity of Trouble, which addresses 3 of the biggest problems we face today with Software everywhere. And when we say everywhere, we mean everywhere!. So, what can go wrong when we are pushing so much of our life into Software controlled tools, devices, cars, etc.?
We are still not in the SkyNet Era, but the problems we face in Software are as dangerous as robots driving trucks and chasing humans. A quick and notorious example is the Boeing 737-Max, or to stay on Norwegian Soil, the Norsk Hydro attack. Software is intrinsically part of our day-to-day lives. On our training we always say that in today’s world, it is usually worse to lose your cellphone than your wallet; your cellphone keeps much more secrets and private information than any wallet. Pictures, e-mails, SMS, documents, vaults for money, and our entire digital life is there. When you sign-in for a new service, have you ever asked about how they handle Security?
Security is hard — in fact, it is applying Security correctly that is hard. We can argue on how much Security Tools help us with this task or how much Inside Process I need to have to make my Software Secure. Tools and Process are, indeed, a crucial part of Software Security and having a Secure Software Development Lifecycle in place is the best approach to unify these two. However, there is a third factor that is often relegated: The Culture inside development teams and that is the point of attack for us in Kongsberg Digital now.
The Path to Software Security — Using Security Champions
Usually, security is viewed as a blocker, the Security Team always comes with a report showing vulnerabilities, or with a “No, you can’t expose your Database to the Internet”. It’s still more work to development teams, and that’s why the Security Team is never invited to meetings anymore.
But the truth is: We don’t want to be the bad Sheriff, arriving at the meetings saying No, No, No! And acting as the blocker only with problems, never with solutions. Neither do the Developers want to ship software with vulnerabilities or with significant security architecture flaws. What both want is to ship software with security embedded, like quality. We have the goal to deliver software security as we deliver software quality, both teams working toward a common goal: Better software for the client, and better Security built-in. Because the customers today expect that your software is stable, reliable, functional and secure.
The way to achieve this is working together, identifying gaps, talking with the developers, understanding where they struggle with security and discovering how we can solve the problems. Although we work hard, it is impossible to attend all meetings and forums for all teams; like in many other companies, we are a small team. How are we trying to solve this problem? Security Champions.
SAFECode is a very good resource of best practices around Software Security. Here is an excellent definition of what a Security Champion is, along with an illustration on how the role bridges the gap between dev and security teams in an organization.
Basically, a Security Champion is a Software Developer or Software Architect who wants to learn more about Security and help the Security Team leverage all the security things inside the development team. It’s someone who can join the charge on bugs and flaws together with the Security Team; we still hold the flag for security, but now we have more people around us, fighting for the same goal, learning, iterating and teaching others on how to make the software more secure.
The Path to Software Security — Kongsberg Digital
We started our program here at Kongsberg Digital last year intending to create a closer bridge between the Security Team and Development Teams, to work together on security best practices and security awareness. One of the main challenges was finding the right person, not only someone with experience in different software stacks, but someone who was really looking to dive deep in the security pool. With the help of upper management, we achieved success on recruiting Security Champions for all the products, thus engaging people around a better understanding of security, with the result of delivering our products with the mindset of Security in place.
We are still facing challenges, mostly between the balance around prioritization of features vs. security, but the awareness around security is much bigger now. The key factor of security being everyone’s job is much more discussed now than months ago, and with a plus: It’s not only the Security Team saying this, now we have the Security Champion, a vital resource on the development team, saying that Security is essential, and we should prioritize. The Security Team is not the outsider anymore, we are acting as a problem solver rather than a blocker, and all teams can see the real value of having security in the early phases of the product.
Since we started the Security Champions programs, with regular meetings and discussions, we noticed a significant improvement on security alerts around our Infrastructure, some common issues and misconfigurations are now gone. The security maturity of some of the teams is getting better, and we already have teams performing Threat Modeling without the presence of security team resources, which is great and show how our approach is going in the right direction.
Of course, we still have a lot to do; we successfully engaged people in thinking about security and understanding that security is everyone’s job. We can guide and point the way to the Security path, but the developers need to walk it themselves, and for that, they will need to learn and understand how more tools and better processes will facilitate the job.
For now, I just want to praise everyone from the Kongsberg Digital Development Teams for the effort, we are going in the right direction. Thank you!
“So now, when we face a choice between adding features and resolving security issues, we need to choose security.”
Bill Gates — 15/01/2002
