The World's Forum for Aerospace Leadership

  • Donate
  • Press Room
  • Renew
  • View Cart
American Institute of Aeronautics and Astronautics

    Security by Design

    Security by Design

    This week, the annual RSA Conference in San Francisco will again bring together the largest gathering of cybersecurity vendors and professionals, will again be hosted in San Francisco. Hundreds upon hundreds of security companies will spend tens of thousands of dollars to market security solutions that layer on top of, and seek to protect, existing IT networks, systems, and products. Experts will give talks on how to hunt for adversaries in a network or use "next-generation" tools. Securing poorly designed and inherently insecure IT systems drove the cybersecurity industry to become a $75 billion a year market in 2015. Yet, with all this investment in cybersecurity, many of these solutions have failed to stem the tide of breaches or create a much more secure, trusted, resilient, and reliable public Internet or private networks. (Of course, some security technologies work well and are necessary, but they can only do so much to fix insecure IT).


    The growing Internet of Things (IoT) only raises the specter of an even more insecure global network. Gartner, a leading information technology research and advisory company, estimates that the number of IoT devices will grow from 6.4 billion in 2016 to 20.8 billion in 2020. Many IoT devices are extremely difficult to patch or to protect with additional security features: they may be inaccessible, and their processors cannot handle the complexity. With the Mirai botnet, attackers hijacked hundreds of thousands of IP cameras and DVRs, exploiting hardcoded credentials (like the innovative password “0000”) in these devices to create one of the most powerful botnets ever seen. The prevalence of mobile devices will also add to the problem. Things are likely to get worse before they get better.


    In Protocol’s first feature in December 2016, we encouraged you and your enterprises to ask this question: “Do we build security in from the beginning, for both our products and our organization, across all teams, or is it an afterthought or left to the IT team alone?”


    In this issue of Protocol, we take a closer look at the issue of security by design.

    Good Code is Secure Code


    Start with enterprises writing code. This includes but is not limited to major IT vendors. Most large enterprises today, whether in financial services, manufacturing, consumer products, or other sectors, are not only consumers of software and IT but also developers of customer-facing applications, internal applications, or products. In fact, CEOs in sectors as diverse as pharmaceuticals and transportation tell us they are running “IT companies” because the product or service they ultimately deliver to customers depends on their own IT networks and software.


    Building security into the development process can help ensure that code is developed securely, assets are protected, and costs for ineffective security add-ons are minimized.


    Secure design in software does not mean finding and eliminating bugs quickly: it means designing systems that are less likely to be a breeding ground for bugs, assuming that hackers will try to exploit any bugs that do exist, and making the system resilient even in the face of such attempts. The Center for Secure Design of the IEEE Computer Society, a global computing organization, defined it this way: “The goal of a secure design is to enable a system that supports and enforces the necessary authentication, authorization, confidentiality, data integrity, accountability, availability, and non-repudiation requirements, even when the system is under attack.” Secure design involves all elements of software, from authentication and authorization to cryptography to user interaction and data processing. The Center for Secure Design published a terrific resource on Avoiding the Top 10 Software Security Design Flaws that emphasizes these 10 steps:


    1. Earn or give, but never assume, trust.
    2. Use an authentication mechanism that cannot be bypassed or tampered with.
    3. Authorize after you authenticate.
    4. Strictly separate data and control instructions, and never process control instructions received from untrusted sources.
    5. Define an approach that ensures all data are explicitly validated.
    6. Use cryptography correctly.
    7. Identify sensitive data and how it should be handled.
    8. Always consider the users.
    9. Understand how integrating external components changes your attack surface.
    10. Be flexible when considering future changes to objects and actors.


    This might sound like a lot of work, but designing secure systems, most of which can be accomplished through culture and process, can save money compared to buying expensive technologies, having to backtrack to fix bugs and design flaws, and failing to deliver secure products to customers. A security engineer with Twitter recently said, “When you can solve a problem at the [software] design phase, it automatically solves a bunch of problems later on in the stages … It's very cost-effective to solve security at the design stage."


    Some IT companies have made great strides in secure development and deploying hardware and software that minimizes vulnerabilities, prevents exploitation, and builds security features into the underlying product to minimize the need for extraneous security software. Due to investment in secure design and development within Microsoft, Windows has quickly transformed from having “awful” security, which drove major growth in the security software industry, to being considered one of the most well-secured operating systems on the market with the release of Windows 10. The iPhone is also a well-hardened platform out of the box due to Apple engineering security into the device at both the hardware and application layer. The move to the cloud, with enterprises entrusting outside parties to host their critical data and applications, has heightened the focus on security and driven cloud service providers to compete on their security processes and development practices. The adoption by select vendors of a security development lifecycle, a process whereby security is included at each step of development, has driven more secure products with fewer vulnerabilities.


    Even with the improvement in development practices at some major information technology providers, these players remain the exception and not the norm. For emerging technology areas including the IoT, operational technology systems, many mobile platforms, and even some security technologies themselves, designing a secure product has taken a backseat to reducing costs, ensuring ease of use, and speeding products to market. Increasingly, vendors that have not traditionally been IT providers are producing networked products for their customers. These vendors have failed to identify and mitigate the potential security risks of their products prior to deployment, and in many cases, both industrial and consumer products are exceedingly difficult to patch, harden, or monitor. High-profile incidents including the Mirai botnet attacks, the hacking of electronics in a vehicle, and multiple disruptions of the Ukrainian power grid have highlighted that as more systems come online, designing security into these products and services has not been enough of a priority. Many organizations have failed to build security into modern development practices including agile scrum and DevOps models.


    Up to this point, we have focused our attention on software for enterprise or consumer use. It is important to remember that we live in an increasingly cyber-physical world, in which software is not restricted to interacting with software but instead controls physical objects in the real world: from power grids to thermostats, from water purification plants to refrigerators, from manufacturing to delivery trucks. Cyber-physical systems, including consumer IoT and industrial control systems (ICS) in critical infrastructure, run on code, and security incidents can have physical, real-world consequences. Getting secure design right is as important (if not more) in cyber-physical systems as in information systems.


    To help organizations get secure design right, the National Institute of Standards and Technology (NIST) has developed a terrific resource: NIST Special Publication 800-160 (now in its second draft), Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. A former chief information security officer for the Central Intelligence Agency said, “NIST SP 800-160 will become the de facto standard for integrating 'trustability’ into the design, development, deployment and operation of systems used both within government and commercial critical infrastructure industries.” We hope so!


    Securing the Enterprise from Day One


    Secure design applies not only to software but to building secure corporate networks, too.


    Enterprises should consider how they can build a secure, resilient, and recoverable network before needing to layer on security-specific technologies. A stable and well-designed network is usually easier to manage and more secure than a poorly designed network with the latest security technologies. Consistency in images and configurations, network segmentation, robust identity and access management practices, and regular backups can help reduce risk and increase resilience with little investment in new technology. Of course, making sure that the network infrastructure is secure-by-design helps, too.


    How exactly to build a resilient network depends on the enterprise in question. Building a resilient, manageable infrastructure and reducing attack surfaces is predicated on designing the network with the biggest risks to the organization in mind. The architecture of a securely designed network will vary based on the productivity needs of the organization and its greatest risks. For a small company, relying on a cloud-based architecture may make both security and productivity sense, while a company with highly sensitive intellectual property may wish to segregate that data in a corporate data center and significantly limit access. Secure architecture should mirror the IT demands and risks of the business. The best way to achieve a resilient network is to establish governance and processes that put IT, IT Security, and business units together, in the same room and with a methodical process for design and change management, from day one.


    Designing a resilient network matters for enterprises that only have corporate information networks, but it can be especially important for enterprises that also run ICS networks that need to be secured: the consequences of an incident in an ICS network can be severe, defensive technologies for these networks are less well advanced, and depending on network architecture, sometimes they can be the weak link to access the corporate network (or vice versa). To address this issue, the U.S. Department of Homeland Security recently issued a valuable resource, Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies Industrial Control Systems Cyber Emergency Response Team September 2016.


    A Word About Vendors


    As you tend to your own code and networks, a final word: do not forget about your vendors. Imposing secure design requirements on vendors is a cost-effective way to mitigate risk.


    Large enterprises and government agencies, in particular, can use their purchasing power to shape IT systems for the better. Build key terms into procurement processes, giving an advantage to vendors that do secure design well. Put requirements into contract language. Require a security development lifecycle process. Ask questions about secure design. Request information about code testing and remediation.


    A rising tide lifts all boats: ultimately, this is good for everyone.


    Now, and Then


    Today, much of our IT hardware, software, and network infrastructure is inherently secure. In the rush to deliver usability and make technological advances, security trade-offs were made. By adopting and imposing secure design, you and your enterprise can improve the security ecosystem and likely save money and time in the long run. In the interim, we need security technologies to layer on defense-in-depth, and many of them are useful, but the growth of a cybersecurity mindset driven by the need for adding security to poorly architected systems must not shroud our view of the better answer: for IT developers, consumers, and enterprises to adopt secure design principles and find ways to deploy products, code, and networks that are inherently more secure and resilient.