Security: Who's Running the Show, Anyway?
June 12, 2015
When it comes to software quality, vertical markets have historically been isolated. Since each market has different needs, there's no "one size fits...
When it comes to software quality, vertical markets have historically been isolated. Since each market has different needs, there’s no “one size fits all.” This makes standards, by definition, next to impossible to implement, even though it would seem a fairly routine process.
You might be surprised to hear me say that this is not a problem in and of itself. After all, the security requirements for the aerospace industry would differ wildly than that of, say, the fitness segment. No problem.
However, what happens when that exercise bike, which is tallying your personal fitness stats, is connected to the Internet? Now the security bar was just raised in a way the fitness segment is not necessarily equipped to handle, and suddenly, there’s a risk that people could access data about a leading athlete’s training data.
While various groups have been established to ensure that sufficient algorithms are being used, and that the communication protocols are robust, no industry groups have embraced a particular security standard, nor have they stated what that standard should be. All efforts therefore focus on the algorithms and look at things like how fast they are. And so, security verification suites often neglect quality, checking instead that the algorithm is implemented correctly.
Of course, silicon vendors – whose number one agenda is to sell silicon – don’t help the issue. They tend to devalue the security standard, touting chip-based algorithms as the way to go. Unfortunately, that only solves part of the problem, leaving significant vulnerabilities in application development.
Security will only be achieved when we find a way to come together on an overarching security standard. Granted, the overarching standard would need to be adapted for vertical markets just as the industry safety standards have been, but it’s time to get things rolling.
Next time, let’s discuss how vertical markets can start applying a security process now. Who knows? Maybe this effort will pave the way toward establishing that overarching security standard.
Dave Hughes is the CEO and founder of HCC Embedded, a developer of re-usable embedded software components. Dave is a “hands-on” embedded specialist, who still actively contributes to the strategy and direction of HCC’s core technologies. His extensive experience has made him one of the industry’s leading authorities on fail-safe embedded systems, flash memory, and process-driven software methodologies. He is a graduate of the University of Sussex in England.