It’s no secret that in the past 10 years, security issues have changed dramatically in the embedded world. As embedded devices become increasingly networked, developers have to take extra measures to ensure overall product quality and data security.
To date, security industry standards have focused mostly on the integrity of encryption algorithms and protocols. However, when you look at major security breaches, there’s actually little evidence that algorithms alone can provide security. Rather, most high-profile breaches come from three main sources: insiders divulging secrets, poor system management, and badly or inappropriately written software. The first two points are harder to manage, because it’s up to each organization to control these factors, and clearly when there are humans involved there are no easy solutions.
What we do have control over, though, is the issue of process. Recent well-known security issues perfectly illustrate how important process can be. When you look at, for example, the Heartbleed bug affecting OpenSSL, you can see that there were no traceable test cases, no boundary case analysis, and, above all, no software life cycle. It’s clear that developing and maintaining a vigorous software development life cycle process is more important than ever. Software can’t exist in a bubble; rather, the whole system design must be considered.
Before I start to examine possible solutions, I want to make it clear that I’m not criticizing open-source software as a whole. Indeed, open-source providers are typically completely open and transparent about the processes used to develop the software. The responsibility lies, however, with the developing organization, to ensure the software they’re proposing to use has been developed using an appropriate process – regardless of who developed it.
There is some good news, though. For one thing, we don’t need to (re)invent the wheel: a reliable and safe process is already in place for the aerospace, industrial control, and automotive industries, to name a few. In upcoming blog posts, I’ll take a closer look at the quality standards, available security methods, and what developers can do to ensure a secure network.
Dave Hughes is the CEO and founder of HCC Embedded, a developer of re-usable embedded software components. Dave is a “hands-on” embedded specialist, who still actively contributes to the strategy and direction of HCC’s core technologies. His extensive experience has made him one of the industry’s leading authorities on fail-safe embedded systems, flash memory, and process-driven software methodologies. He is a graduate of the University of Sussex in England.