
Seminar 2024
September 20, 2024
Transforming Legacy Systems: Turning Ideas into Reality with Knoware
November 25, 2024Cyber defense starts in your software factory
Build you defense from the ground up!
Nobody would deny that today, cyber security is an essential activity for any company of any size. This becomes especially true if you are building software, for your own use or for your customers and partners. Any security breach can impact your financial results as well as your reputation. In critical environments such as medical software, transport or pharmaceutical industries it could even endanger the life of human beings. 🔒
Software engineering practices have integrated security measures in their development lifecycles already years ago (leading to the concept of “DevSecOps”). This emphasizes the fact that a software must be validated for cyber threats, be it at analysis stage, at development stage, at testing stage.
And this usually starts with a threat analysis. Tools such as Software Composition Analysis (SCA) tools are used to detect early in the development process vulnerable dependencies (direct dependencies as well as transitive dependencies) such as libraries or frameworks.
Tools such as Static Application Security Testing (code analysis with a focus on potential security holes) are also integrated in the software development lifecycle and automatically detect code issues that could result in unsecured software.
Testing include test activities such as penetration testing, infrastructure security testing in order to detect, before release, any potential security flaw of the software. Some of those tools are also expected to continuously scan for vulnerabilities also after release (for example a vulnerability in a library can arise years after the release of the software). ⚒️
What is sometimes forgotten however, is that the software factory itself must be protected against cyber threats. Indeed recent cyber attacks were targeting the factory directly (with the goal of impacting the software being delivered by the factory). This kind of attack, also called supply chain attack, target the different nodes of the software factory (code repositories or final deployment repositories for example) with the intention to add malware code in the final product that will stay undetected. The most known example of such a supply chain/factory attack is SolarWinds where a backdoor injected in the product was then deployed at all SolarWinds customers. 😱
Because Knoware builds and maintains software for customers in highly regulated and critical industries (medical, pharmaceutical, transport,…) we take cyber defence very seriously and invest a lot in our own software factory to build protection at every step of the software development lifecycle, but we also do not forget that the tools themselves of this factory must be protected. For this typically a threat analysis can be conducted of the software development lifecycle to identify potential security flaws in the delivery process. 🛡️
With this experience built internally we have recently also helped customers modernize their own software factories through studies and audits. 📋
#SoftwareFactory #CyberSecurity #SupplyChainAttack #CriticalSoftware #DevSecOps