Who´s Afraid of the Cyberwolf?
The term “sing along” is often used to indicate a very famous tune that (almost) everybody can sing. A famous example is a theme from 1930-ties Disney cartoon “Who´s Afraid of the Big Bad Wolf?”. Back then, and since the early middle ages, the Big Bad Wolf was a kind of universal threat used in storytelling, that many folklorists, ethologists or anthropologists were trying, and still try, to interpret. Today, these animals are rare to see in Europe and there are even few endangered wolf subspecies. My daughter thinks they are actually cute. She drinks her milk from a mug with the photo of 1984 Winter Olympics official mascot, which was a little wolf. So, if we talk about 21-st century universal threat, we need a something different. Here is where cyber threats come into the consideration – they are omnipresent and invisible, just as the universal threats should be. The list of cyber threats is long and varied, but many of these have one thing in common: they exploit vulnerabilities in our software. Therefore, it seems like a logical idea to link secure software engineering and cyber security.
Yet, this did not happen until recently. In October 2011 I had a chance to talk to Gary McGraw, author of the reference books in the software security field. In his works Gary is claiming that the cyber security strategies should also focus on reduction of software vulnerabilities by building more secure software in the first place. This does not mean that firewalls, antiviruses, intrusion detection tools or security event and information management (SIEM) are obsolete or inefficient – it just means that these mechanisms are not sufficient, if your software is full of flaws and bugs. Remember the lesson of Three Little Pigs story? Practical Pig, Fiddler Pig and Fifer Pig are three brothers who build their own houses with bricks, sticks and straw respectively. When the Big Bad Wolf tries to blow down the strong brick house, which he did with the previous two, he is simply unable to do it. Bricks are more expensive, yes. And it takes more time to build house, yes it does. But bricks can save lives if the Big Bad Wolf manages to jump over the fence, tricks video-surveillance and avoids movement sensors around the house.
Bringing secure software engineering into cyber security puzzle is also something that Howard Schmidt, the former Cyber-Security Coordinator of the Obama Administration, is working on. In February 2013 he was appointed Executive Director of the Software Assurance Forum for Excellence in Code (SAFECode). While SAFECode is focusing on assurance and coding, the Network of Excellence on Engineering Secure Future Internet Software Services and Systems (NESSoS), predicates a holistic and integrated view on the secure software engineering. NESSoS addresses security requirements engineering, secure architectures and design, as well as secure coding and programming environments. Security assurance and risk assessment are promoted at each one of these phases of software development lifecycle (SDLC). In comparison with the other approaches or best practices, such as The Buidling Security in Maturity model, NESSoS is putting emphasis on the early stages in SDLC, where the investment could be more cost-effective. In addition, integrating security aspects into design processes enables an easy adaptation of security policies during the operational phase, for example due to the changes in access control or software evolution. If only Practical Pig had some tool like that: in the sequel movie to Three Little Pigs, he is building an extension to the shared residence of the three pigs, due to the evolution requirements : just like some software applications, the residence was originally intended only for a single occupant.
So, who´s afraid of the Cyber wolf? Well, we all are…and if not, there are many voices to remind us. Cyber security (and its cousins) incidents have been occupying ICT news intensively in the latest few years. Even the most sophisticated protection and detection mechanisms eventually fail. Attribution of an attack is representing a very complex problem. Infected computers represent danger for others. The good news is that the addressing security concerns from the very beginning of software development is contributing to reduce the amount of vulnerabilities, therefore lowering the cyber security risk. Time for policy and decision makers to act and understand that security-by-design, rather than focusing only on detection or reaction levels, is also a part of cyber security puzzle.