Software Security Starts with Code

Because modern society has become dependent on software-based technology – Security isn’t an option.

Most security vulnerabilities are a result of coding errors that go undetected in the development stage, making secure software development imperative.

Embedded software is pervasive in everything from cars to household products and medical devices to industrial automation, and critical infrastructure.

The Internet of Things is here, and as more devices connect to the Internet and each other, the potential for attackers to disrupt lives and threaten our safety and security is rapidly evolving

New products and market growth depend on software development, and software security will determine success or failure for many businesses. But delivering these products presents a unique set of challenges in software development and security

Keep scrolling

5 key facts of developing secure embedded software:

1. Security by obscurity is a myth

Many developers believe that their embedded devices are not targets for hackers because their software isn’t used by as many people as, say, an operating system such as Windows.

This belief is wrong and results in developers compromising security when new features need to be built and tight deadlines met.

This lack of a security-first approach in many organizations is why analysts, researchers, and law enforcement agencies warn that embedded software and connected devices could be the source for the next cybercrime wave.

Security-by- obscurity-is-a -myth

Proactive prevention is more effective than reactive detection

2. Proactive prevention is more effective than reactive detection

Security technologies such as network firewalls, application firewalls, intrusion detection systems, and penetration testing address security problems in real time.

While valuable, these technologies are not equivalent to producing secure and standard compliant code.

To design software that prevents vulnerabilities from existing, it’s necessary to make security an integral part of the way you design and build software.

3. Security features do not equal secure software

The National Institute of Standards and Technology (NIST) reports that 64% of software vulnerabilities stem from programming errors and not a lack of security features.

This means that even if you implement security features such cryptographic ciphers and algorithms, passwords, and access control mechanisms -- you will only protect yourself from 36% of vulnerabilities at best.

Security-features-do-not -equal-secure -software

Embedded- development- provides-a-unique -set-of -challenges

4. Embedded development provides a unique set of challenges

Compared to PCs:

  • Embedded systems have limited memory and CPU;
  • They need to be taken offline for maintenance and updates
  • There are a number of operating system options including none at
    all, and
  • Each embedded system is unique and programming close to the
    hardware is most common.

This all compounds to make it increasingly difficult to develop secure software that remains up to date.

5. It’s difficult to build secure embedded software in C

C is the most widely used embedded programming language despite being difficult to build secure embedded software with.

It was designed to be a lightweight language with a small footprint and does very little, unfortunately, to protect the programmer from introducing vulnerabilities.

This lack of protection is even more dangerous for programmers that have experience with superficially similar languages because they wrongly assume that they have more protection than they do.

It’s-difficult-to- build-secure- embedded software in C

Automated static analysis is your first step towards secure code; CERT C and C++ add-ons are your second

Automated static analysis helps you produce high-quality code in less time and for less money. By testing your source code while it is being developed, you catch and correct coding standard compliance violations as they happen.

Your next step is adding CERT C and C++ add-ons to your PRQA static analyzer. This ensures your code adheres to standards specifically designed to improve software security of billions of software controlled devices - from alarm clocks to electrical grids.