Cyber Security Executive 2018 event catered cyber security topics on a wide range as key note speeches, networking and exhibition stands. We attended the event for the second time. elfGROUP had an exhibition stand at the event, and our team consisted of Kari, Pekka, Tom and me, Tuomas. Kari and Pekka represent the elfGROUP sales team, and Tom is our newest addition to elfGROUP’s growing team in the Helsinki region.
Hundreds of executives, security officials and information security managers, interested in cyber security, attended the event. CSE18 was held in Kattilahalli this year, and the program was full of attention-grabbing speeches about cyber security. In my own speech I focused on software assurance and building information security throughout all the layers of software architecture.
Software assurance, API interfaces and IoT
Information systems are more and more integrated, communicating over system and organizational boundaries. Almost all systems provide API interfaces for information exchange and activities. Also the users of these systems, both consumers and corporations, require access through interfaces. API interfaces have become a clear competitive factor, and people are even discussing about API economy. The general goal state is that all systems should communicate seamlessly and exchange information almost automatically.
At the same time, as the environments and systems get more and more complicated, the development pace increases, and new solutions have to get to the market faster. Companies and organizations develop API strategies, where information security perspective should be considered in a concrete way. In complex environments the systematic development of information security is more critical than ever. IoT solutions are an excellent example of wide-ranging entities where different parts, consisting of new technologies, are integrated in innovative ways. Information security and more generally information management, problems are often raised from mere oblivion and thoughtlessness, as an integration endpoint or an application’s business logic enables unpredictable actions. elfGROUP is part of an IoT Alliance, led by Solita, to ensure the cyber security of IoT solutions that are developed in cooperation with multiple companies.
In information security testing we repeatedly see cases where the user interface has built-in access right inspections and input validation, but the API interface that enables access to the same information, lacks these implementations in part or entirely. This is one tangible example of incomplete architectural design and forgetting the onion model while planning for information security. It often is a sign of using more or less copy-pasted code in system development, instead of building the entity by logically bundling and reusing its functionalities.
In my speech I also emphasized fundamentals of software assurance, methods of secure development and security design principles, such as presuming mistakes and vulnerabilities, failing securely and early in the process, and reluctance to trust. Because all systems are man-made, mistakes and errors are a natural part of them. Software assurance and non-functional requirements of software production should be disclosed as tangible requirements and software project deliverables.
Information security testing should be an integrated part of software development. This enables also measuring, analysis and development! With the support from executives, this can also be heldon to even during schedule pressure. By modeling threats, it’s easier to recognize horizontal cyber threats and attack vectors. Defining trustboundariesand concentrating on protecting them is valuable, because this way the safety mechanisms of a software can be managedeconomically, and the efforts are not vasted for nothing.
As developers and people in general get blind to their own mistakes, information security testing done by an external party, as well as certification for information systems or data handling confidentiality statements are very important to assure third parties that the information system has adequate level of information security
At the end of my speech I emphasized the importance of spreading awareness of cyber security and gave some essential practical tips to improve software assurance.
Cyber security events gathered audience both in Helsinki and Oulu
At the end of November we organized a breakfast seminar in Oulu, in cooperation with Arctic Security Oy and Rugged Tooling Oy. In elfGROUP’s speech I brought up the same subjects as in CSE18, this time from software production perspective.
It was nice to see that both these events gathered a large audience interested in the field of cyber security. Let’s keep cyber security and software assurance development in active dialogue also in the future!
Download my presentation material from CSE18, and keep these important points in mind also in your future software development projects!