Connect with us

News

SOFTWARE SECURITY BEST PRACTICES ARE CHANGING, FINDS NEW REPORT

Published

on

Independent software vendors, along with Internet of Things and cloud vendors, are involved in a market transformation that is making them look more alike. The similarities are evident in the way they approach software security initiatives, according to a report from Synopsys.

Synopsys on Tuesday released its ninth annual Building Security in Maturity Model, or BSIMM9. The BSIMM project provides a de facto standard for assessing and then improving software security initiatives, the company said.

Based on 10 years of conducting the software study, it is clear that testing security correctly means being involved in the software development process, even as the process evolves, said Gary McGraw, vice president of security technology at Synopsys.

Using the BSIMM model, along with research from this year’s 120 participating firms, Synopsys evaluated each industry, determined its maturity, and identified which activities were present in highly successful software security initiatives, he told LinuxInsider.

“We have been tracking each of these vendors separately over the years,” McGraw said. “We are seeing that this whole cloud thing has moved beyond the hype cycle and is becoming real. As a result, the three categories of vendors are all beginning to look the same. They are all taking a similar approach to software security.”

Report Parameters

The BSIMM is a multiyear study of real-world software security initiatives based on data gathered by more than 90 individuals in 120 firms. The report is a measuring stick for software security, according to Synopsys.

Its primary intent is to provide a basis for companies to compare and contrast their own initiatives with the model’s data about what other organizations are doing. Companies participating in the study then can identify their own goals and objectives. The companies can refer to the BSIMM to determine which additional activities make sense for them.

Synopsys captured the data for the BSIMM. Oracle provided resources for data analysis.

Synopsys’ new BSIMM9 report reflects the increasingly critical role that security plays in software development.

It is no exaggeration to say that from a security perspective, businesses have targets painted on their backs due to the value that their data assets represent to cybercriminals, noted Charles King, principal analyst at Pund-IT.

“Software can provide critical lines of defense to hinder or prevent incursions, but to be effective, security needs to be implemented across the development cycle,” he told LinuxInsider. “The BSIMM9 report nails some high points by emphasizing the growing importance of cloud computing for businesses.”

Report Results

Rather than provide a how-to guide, this report reflects the current state of software security. Organizations can leverage it across various industries — including financial services, healthcare, retail, cloud and IoT — to directly compare and contrast their security approach to some of the best firms in the world.

The report explores how e-commerce has impacted software security initiatives at retail firms.

“The efforts by financial firms to proactively start Software Security Initiatives reflects how security concerns affect and are responded to differently by various industries and organizations,” said King. “Overall, the new report emphasizes the continuing relevance, importance and value of the Synopsys project.”

One key finding in the new report is the growing role played by cloud computing and its effects on security. For example, it shows more emphasis on things like containerization and orchestration, and ways of developing software that are designed for the cloud, according to McGraw.

Following are key findings from this year’s report:

  • Cloud transformation has been impacting business approaches to software security; and
  • Financial services firms have reacted to regulatory changes and started their SSIs much earlier than insurance and healthcare firms.

Retail, a new category for the report, experienced incredibly fast adoption and maturity in the space once retail companies started considering software security. In part, that is because they have been making use of BSIMM to accelerate faster.

In one sense, the report enables predicting the future, allowing users to become more like the firms that are the best in the world, according to McGraw.

“The bottom line is that we see the BSIMM is indicating a market transformation that is actually taking place. We are getting past the baloney into the brass tacks,” he said.

Structural Design

Researchers established a BSIMM framework based on three levels of activities with 115 activities divided into 12 different practices.

Level one activities are pretty easy and a lot of firms undertake them, noted McGraw. Level two is harder and requires having done some level one activities first.

“It is not necessary, but that is what we usually see,” he said. “Level three is rocket science. Only a few firms do level three stuff.”

The researchers already had some idea of what is easy and what is hard in dealing with software security initiatives. They also know the most popular activities in each of the 12 practices.

“So we can say if you are approaching code review and you are not doing this activity, you should know that pretty much everybody else is,” said McGraw. “You should then ask yourself, ‘Why?'”

That does not mean you have to do XYZ, he added. It just means maybe you should consider why you are not doing that.

Understanding the Process

The BSIMM9 report also gives a detailed explanation of the key roles in a software security initiative, the activities that now comprise the model, and a summary of the raw data collected. It is essential to recognize the target audience for the report.

The audience is anyone responsible for creating and executing a software security initiative. Successful SSIs typically are run by a senior executive who reports to the highest levels in an organization.

They lead an internal group the researchers call the “software security group,” or SSG, charged with directly executing or facilitating the activities described in the BSIMM. The BSIMM is written with the SSG and its leadership in mind.

“We are seeing for the first time a convergence of verticals — ISVs, IoT vendors and the cloud — that used to look different in the way they approached software security,” said McGraw. “They were all doing software security stuff, but they were not doing it exactly the same way.”

Fresh Look, New Perspectives

Each year researchers talk to the same firms as well as new participants. All of the data is refreshed each year. That provides a perspective of at least 12 months — but probably, on average, a much shorter time span. There is not that much of a lag indicator involved because of the scientific methods the researchers use, according to McGraw.

The BSIMM review provides a much more objective view of what is going on in the target groups than you would get by looking at a few case studies, he noted. That was one of the study’s goals when he initiated it years ago.

“The BSIMM is the result of wanting to have real objective data without overemphasizing technology or people of particular vendors or whoever paid us money,” McGraw said.

Funding Path Essential

Under the BSIMM’s charter, it is designed not to be a profit-making, but to help Synopsys break even. Firms pay for their participation in the study and sponsored events, said McGraw. Non-participants can view the report for free, but paying to participate gets the companies their own results.

This gives the paid participants a very intense look at their own software security and how it compares to others with their own data published for them, McGraw explained. The published report does not provide the data of individual firms, only collective data.

The most important outcome for participating is feedback from the community that developed among the participants, according to McGraw. Synopsys holds two annual conferences, one in the U.S. and one in the EU.

Bottom Line

Ten years ago security researchers did not know what everybody was doing regarding software security. Now firms can use the BSIMM data to guide their own firm’s approach to it, according to McGraw.

“We learned that all firms did software security slightly differently. There is no one correct way because the cultures of all the firms and their dev teams differed,” he said.

With a unified view of all the approaches used, researchers can describe in general how to approach software security and track particular activities, McGraw said.

“We didn’t come up with a particular set of prescriptive guidance. Instead, we came up with a descriptive set of facts that you can use to make great fast progress with software security,” he noted.

The Takeaway

BSIMM researchers recognize that the report data on software security never will eliminate data breaches and other software security concerns. Unfortunately, there is no first-order way to measure security, noted McGraw.

“You cannot throw software in a box that lights up red or green. We retreated to developing a look at what successful firms are doing as a way to guide other firms to be more like them,” he said, “but there is no way to measure that directly.”

Synopsys’ theory is that if you want to get out front, you first have to build better software, said McGraw. “Better security comes about with the way you build software.”

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

News

INSTAGRAM TIGHTENS EATING DISORDER FILTERS AFTER BBC INVESTIGATION

Published

on

Instagram has placed more hashtags which could promote eating disorders on an “unsearchable” list after a BBC investigation found that users were finding ways around the platform’s filters.

The photo-sharing network has also added health warnings to several alternative spellings or terms which reference eating disorders, some of which are popular hashtags on the platform.

Starting in 2012, the photo-sharing site started to make some terms unsearchable, to avoid users being able to navigate directly to often shocking images, and posts that promote the idea that eating disorders are a lifestyle choice rather than a mental illness.

If someone enters the unsearchable terms into the platform’s search box, no results will come up.

Other hashtags, when searched, will active a pop-up asking the user if they need help, with options to “learn more”, cancel the search, or view content anyway.

BBC Trending found that certain terms promoting bulimia were still searchable – and that the Instagram search bar was suggesting alternative spellings and phrasings for known terms which some see as glamorising or encouraging eating disorders

In one case, the search box offered 38 alternative spellings of a popular term.

In response to our findings, Instagram made several alternative spellings unsearchable and added several others to the list of terms which trigger the health warning. Trending is not listing the specific hashtags on the list, but Instagram said it would continue to try to restrict content which appears to encourage eating disorders and self-harm.

“We do not tolerate content that encourages eating disorders and we use powerful tools and technologies – including in-app reporting and machine learning – to help identify and remove it,” an Instagram spokesperson said in a statement.

“However, we recognize this is a complex issue and we want people struggling with their mental health to be able to access support on Instagram when and where they need it.

“We, therefore, go beyond simply removing content and hashtags and take a holistic approach by offering people looking at or posting certain content the option to access tips and support, talk to a friend, or reach out directly” to support groups, the statement said.

pictures of food in a dish, fork and knifeImage copyrightGETTY IMAGES

Bypassing filters

After Instagram and other social networks started to censor content that might encourage eating disorders, internet users attempted to navigate around the filters by deliberately misspelling commonly used eating disorder terms. The new hashtags could then be searched for on the platform.

While researching this story, we saw photos of skeletal bodies and posts that encourage extreme fasting.

Instagram, like most popular social networks, does not use moderators to proactively search for content that is against its rules. Instead it relies on other users to report violations.

Continue Reading

CEO's

WORD PROCESSOR PIONEER EVELYN BEREZIN DIES AGED 93

Published

on

The woman who created and sold what many recognise as the world’s first word processor has died aged 93.

Evelyn Berezin called the device the Data Secretary when, in 1971, her company Redactron launched the product.

She grew Redactron from nine employees to close to 500 and was named one of the US’s top leaders by BusinessWeek magazine in the year she sold it, 1976.

She had earlier built one of the original computerised airline reservation systems.

The innovation – which matched customers and available seats – was tested by United Airlines in 1962.

According to the Computer History Museum, it had a one-second response time and worked for 11 years without any central system failures.

The technology vied with the rival Sabre system, developed by American Airlines, for being the first of its kind.

In addition, Ms Berezin helped pioneer other types of special-purpose computing including:

  • an automated banking system
  • a weapons-targeting calculator for the US Defense Department
  • terminals for a horse-racing track that monitored how much money was being bet on each animal

Screenless editing

In an interview in 2015, Ms Berezin explained that she had decided to set up her own business in the mid-60s after coming to the conclusion that her prospects were limited so long as she was employed by someone else.

She said that she had initially considered developing an electronic cash register but ultimately opted to create what would become known as a word processor instead.

She said: “6% of all the people in the United States who worked were secretaries.

“At the time we started, which was in 1968 to 1969, nobody really had any desk-type computers on which you could write a word-processing program that a secretary would use.

“I know that desktop computers seem obvious now but it wasn’t so then.”

At the time, the nearest equivalent was a machine by IBM called the MT/ST – a typewriter with magnetic tape recording and playback facilities.

IBM’s marketing referred to a “word processor”, but the machine relied on relay switches rather than computer chips, had been targeted at military equipment makers rather than the wider business market, and in Ms Berezin’s mind was “klutzy”.

“We were committed to building a computer to run our system and we knew that we had to use integrated circuits because it was the only way we could make it small enough and cheap enough and reliable enough to sell,” Ms Berezin said.

Her machine – which stood about 1m (3ft 3in) tall – featured a keyboard, cassette drives, control electronics and a printer.

It could record and play back what the user had typed, allowing it to be edited or reprinted.

The original model lacked a monitor, and soon faced competition from a rival, the Lexitron, which did.

But later versions of the Data Secretary did include a screen.

Data SecretaryImage copyrightEYEVINE/NEW YORK TIMES
Image captionSome versions of the Data Secretary did feature a screen

Sparks and water

The project nearly ended in disaster.

Ms Berezin had intended to buy the processors required from Intel, which had gone into business in 1968. But it said it was too busy dealing with orders for its memory chips.

The solution was that Redactron had to design some of the chips required itself and provide the schematics to two manufacturers.

There were further problems with a prototype when it was put on display in a New York hotel for reporters to see.

The issue was that in dry weather, it was prone to a build-up of static electricity, which caused sparks to fly between its circuits, preventing it from working.

“To our horror it was a dry day and the engineers were setting this non-working machine up for our big story,” Ms Berezin said.

“Ed Wolf [our head of engineering brought] a full pail of water and without a word to anyone throws the pail of water over the whole thick carpet in the room.

“The water sank into the carpet, which stayed damp for three or four hours, and the machine worked perfectly.”

AdvertImage copyright@MKIRSCHENBAUM

The first production machine was delivered to a customer in September 1971. And over the following year, Redactron sold or rented more than 770 others, excluding demo units.

Over the following years, demand grew but the company’s finances came under strain, in part because of high interest rates and a recession that meant clients wanted to rent rather than buy its products.

“We were told by the bank to sell the company and they had somebody they knew who was interested,” said Ms Berezin.

“At the time, I was distraught about it.”

She went to work for the purchaser, the business equipment-maker Burroughs Corporation. But it proved to be an ill match.

“I was not one of them – I told them what I thought – a loud woman they did not know how to deal with,” she said.

“So, they disconnected and so did I.”

Ms Berezin left the company around 1980, after which she became involved in venture capital and sat on other companies’ boards before becoming involved with Stony Brook University.

The New York Times reported that a nephew had confirmed she had died on 8 December in Manhattan after turning down treatment for cancer.

One of the remaining Data Secretary word processors can be seen on display at the Computer History Museum in California.

Continue Reading

News

LENOVO YOGA BOOK C930 REVIEWTHE UK’S INQUIRY INTO FAKE NEWS IS FOCUSED ON A LONG-DEAD BIKINI-FINDING APP

Published

on

On Saturday, the Observer published an article describing a rather incredible caper that took place in the United Kingdom. As part of an ongoing inquiry into fake news, Parliament seized a cache of documents obtained during legal discovery in a case mounted by an app developer against Facebook in an unrelated matter in the United States.

Carole Cadwalladr, who rose to prominence this year as one of the journalists who broke the Cambridge Analytica story, has the tale:

Damian Collins, the chair of the culture, media and sport select committee, invoked a rare parliamentary mechanism to compel the founder of a US software company, Six4Three, to hand over the documents during a business trip to London. In another exceptional move, parliament sent a serjeant at arms to his hotel with a final warning and a two-hour deadline to comply with its order. When the software firm founder failed to do so, it’s understood he was escorted to parliament. He was told he risked fines and even imprisonment if he didn’t hand over the documents.

“We are in uncharted territory,” said Collins, who also chairs an inquiry into fake news. “This is an unprecedented move but it’s an unprecedented situation. We’ve failed to get answers from Facebook and we believe the documents contain information of very high public interest.”

What, exactly, might be of interest here? In the Wall Street Journal, Deepa Seetharaman catches us up on Six4Three and why it’s suing Facebook:

The Six4Three lawsuit stemmed from Facebook’s decision in 2014 to stop giving outside developers broad access to information about users’ friends. The move was a harsh blow to developers, forcing a number of apps to shut down, while Facebook argued it helped bolster user privacy.

Six4Three was the developer of an app called Pikinis, which allowed its users to find photos of Facebook users in bathing suits. It ceased operation in 2015 because of Facebook’s decision to curtail access to its users’ data, according to the lawsuit.

The 2014 changes were, of course, the ones designed to tamp down on the kind of invasive third-party data harvesting that would eventually come back to bite Facebook this year with the Cambridge Analytica scandal.

What makes the seizure of documents strange is that so little of the Cambridge Analytica story is, at this late date, in dispute. We know what data was made available to third-party developers before 2014. We know Facebook gradually became uncomfortable with how these developers were exploiting its users. We know they deliberated about it internally and eventually shut off the spigot.

Seetharaman suggests that it is these deliberations that are of interest to Collins. And perhaps some spicy emails will see the light of day. But it’s hard to square the facts of the case with the way the document cache is presented in the Observer, which is as a development somewhere on the level of the Pentagon Papers.

And in any case, it remains unclear what 2014 data privacy discussions have to do with Collins’ inquiry, which is supposed to be investigating the impact of fake news. The inquiry, which began in 2017, produced an interim report in July. Perhaps the document cache will link data privacy and fake news. Or perhaps a politician is simply casting about looking for new cudgels with which to beat Facebook in front of television cameras.

Collins’ committee will hold a public hearing on Tuesday, and may discuss the cache of documents then. (Mark Zuckerberg was invited to go, and declined.) But as we waited for those internal communications to become public, a new court filing introduced a rather amazing twist.

 

 

Read more here

Continue Reading
Advertisement

Trending