It’s perhaps the longest standing myth in IT:
You can deploy IT quickly, or you can deploy it securely. But you can’t do both.
This supposed trade-off touches virtually every aspect of IT, from product development, to market release, to customer deployment, production product maintenance, and all associated stages.
Of course, like many myths, there is a bit of truth to the trade-off. Viewed in the extreme, you could spend endless cycles validating your product’s security posture against every emerging threat and so delay getting it to market forever.
But the practical reality is that many decisions are made throughout the product development lifecycle that strike a balance between security, functionality and getting to market quickly. The primary need in today’s security environment is for product developers to plan how best to hit those optimal balance points so they can bring to market products quickly while still meeting the functionality and security needs of customers.
The US government development backdoor
The notion of the security-speed trade-off rose again this week in a piece published in Nextgov, a publication that focuses on technology in government. The article is authored by David Egts of Red Hat and warns that many federal software developers are downloading open source software components without going through the standard procurement process for vetting technology.
“While this can certainly expedite innovation, it also has the potential to expose agencies to security risks if they’re not careful,” Egts writes. “This backdoor approach to code procurement can let in some unwanted visitors through that door: unknown and dangerous vulnerabilities that may have gone undetected in the code.”
Egts is describing the trade-off between time-to-market and security, the same trade-off that faces the developers of commercial products that may incorporate open source software or other software that is made by an external party.
Using a piece of open source software shortens your development cycle while meeting a functional requirement. Why re-invent the wheel?
In his article, Egts make a few points that show why this short-cut, in the government context, is a very bad idea: the procurement process helps ensure systems are secure; developers using downloaded components are typically not security focused themselves; shortcuts can lead to poor documentation of what is actually in the end product.
These same principles translate well into the commercial market context as well. If you make embedded systems products, Internet of Things devices, or other IT systems that incorporate open source, security should not take a backseat in the rush to get products out the door.
Securing by Design
While the Nextgov article focuses on open source components, it’s important to point out the exact same security issues can arise when a developer uses propriety software from an external third party.
Plenty has been written about the idea that open source software is actually more secure than proprietary software, because open source benefits from the work of the community of developers. But it’s ultimately up to the developer of a product to determine the desired security posture of their product and then validate that all components — open source, proprietary third party, custom developed — support that security requirement.
In 20 years of working with the makers of embedded systems, smart devices and other products, we’ve seen a range of best practices for security by design:
- Software composition analysis: It’s critical to document all modules and components that are integrated into your product.
While this analysis often is tied to the need to meet licensing requirements, the security aspects are equally as critical. If a future security vulnerability affects a third-party proprietary or open source software component in your product, how will you know if the component details are not documented and tracked?
Vulnerability monitoring & vulnerability management: Closely related to software composition documentation is the need to monitor and track relevant security vulnerabilities.
The number of disclosed vulnerabilities has exploded in recent years. This year has already set a new record, as the count of Common Vulnerabilities and Exposures (CVEs) has surpassed the total in all of 2017.
Vulnerability awareness is critical when products are being developed. But this best practice is essential for products once they are on the market as well, to ensure customers in deployment are not put at risk for a data breach because of your products.
With an average of more than 300 vulnerabilities being disclosed every week, according to CVE Details’ tracking, a product maker needs to cut through the vulnerability storm, focus on the CVEs that matter for their products, and manage the patches and mitigation to keep customers secure.
Device hardening: Device hardening focuses on assessing the security posture of your device, in light of the deployment environment, customer security requirements, and potential avenues of compromise. Once these factors have been considered, a hardening project will plug security gaps, ensure known vulnerabilities do not pose a risk of compromise, and also consider how to limit the damage if an attacker gets past the defenses.
Timesys Threat Resistance Security Technology
Most importantly all of these security best practices can be adopted as part of a development process without slowing your time-to-market for new products.
Our Threat Resistance Security Technology (TRST) Product Protection Solutions will help you to track and analyze vulnerabilities that can affect your products and also harden those products for a stronger security posture. We bring expertise in security by design including embedded system security, embedded Linux security, IoT security and open source software security.
Our Secure by Design offerings help you to conduct device security assessments, implement secure boot, harden devices and ensure they can be updated for strong security in deployment.
Contact us today to learn more.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.