you run an organization producing products that incorporate significant amounts of software. You know that security wasn’t a concern when much of that software was written. You know that insecure products are no longer acceptable and that you have to do something. But where do you start?
If you are in this position then these two talks from BlackBerry can help you get started. Yes – two talks. The first is by Christine Gadsby and looks at managing products with substantial Open Source Software (OSS) content. The second is by Adam Bouton and looks at some challenges of adding security to automotive software.
Anyone who thinks that BlackBerry is just a failed maker of smart phones will be rapidly corrected by Christine’s description of BlackBerry’s software offerings, which are much more extensive than just the widely used QNX operating system. BlackBerry’s products make substantial use of OSS (563 libraries used in 86 product variants). Much of what Christine says about how to manage the security aspects of OSS is applicable more widely. Having been involved, many years ago, in the rollout of a CMM based software quality programme, I was interested by BlackBerry’s OSS Maturity Model which provides a route to improving software security. Christine provides other practical examples of how to manage and organize for software security.
Whereas Christine’s talk focuses mainly on issues of management, Adam’s talk looks mainly at technical challenges of achieving software security in automotive applications. He starts by comparing “security” and “safety” (a topic addressed in one of the IoT SF’s first blogs – https://iotsecurityfoundation.org/safety-security/), pointing out the similarities and differences. His view is that although the automotive industry is new to security, its long-standing experience in safety gives it a good base to work from. Adam exposes many automotive security issues and runs over how QNX can help address these. Regarding how to start addressing security issues, he gives a number of sources of good practice. He points out that the principles behind security are common to many industries, and that you can do worse than looking at established standards from another industry.
I was particularly struck that both Christine and Adam talked about the problem of added features and functionality being antithetical to security. Christine talks about features being like vanilla ice cream – irresistible but bad for your health, and Adam suggests that you should always ask “Should this be done?” when contemplating new features.
All in all, these talks are interesting and useful for software developers and those managing the development of software heavy products.
Article written by Roger Shepherd – Founder and Managing Director of Chipless Ltd
You can find this talk, and more, from the Annual IoTSF Conference on the Conference Page on the IoTSF website here