Several weeks back I attended the Practical Software Measurement (PSM) Users Group in Crystal City Virginia.  This is a small but good conference that combines presentations on many aspects of measurement for software and systems with workshops in the afternoon where government, industry and academia work together to address issues of import to system and software measurement.  As you might imagine, there were several presentations focused specifically on cybersecurity - a topic that is becoming more and more of an issue in our industry.

All were quite good but one particularly enlightening presentation was presented by Joe Jarzombek of Synopsis – “Cybersecurity Technical Risk Indicators”.  In his talk, Joe talked about how the introduction and explosion of the Internet of Things (IoT) has led to more and more opportunities to exploit cyber weaknesses.  With the number of embedded smart devices in appliances, vehicles, smart homes, medical devices, the risks of violations, whether intentional or accidental, increases.

Joe went on to define the following cybersecurity terms:

  • Weakness – a mistake or flaw condition in IoT architecture, design, code or process, that if left unaddressed could under proper conditions contribute to cyber-enabled capability being vulnerable to exploitation
  • Vulnerability - mistakes in software that can be directly used by a hacker to gain access to a system or network
  • Exposure – configuration issue of a mistake in logic that allows unauthorized access or exploitation
  • Exploit – action that takes advantages of weaknesses to achieve a negative technical impact 

Of course each of these concepts comes with some fancy acronyms and such - check the presentation for more on that.  The presentation then proceeds to discuss that how cyber software assurance is increasingly becoming an issue and how assurance needs to be built into the architecture and design from the beginning.  To me one of the most interesting discussions in this presentation was around supply chain risk management.  Software is rarely built from scratch and is comprised of:

  • New code
  • Reused code from other projects within the organization
  • Reused code from outside sources
  • COTS software
  • Open Source Software
  • Etc.

When deploying software that will be network accessible (and how much software isn’t), one must recognize and own the security issues of all of the component pieces to ensure that their security requirements are met.  “Data breaches exploit vulnerabilities and weaknesses in applications – root causes in unsecure software.  This is a Software Supply Chain Issue”.   The presentation continues to discuss the different actions that an organization can take to ensure all the components of their systems are assuredly safe.  If you are interested in a well thought out and easy to understand primer on cyber security and its issues, causes and ramifications I highly recommend you check this out.