DESIGN
A&D: CYBERSECURITY
strict requirements and proper testing, integrating COTS software may also present security risks. Once the software landscape is understood, it is then vital to prioritise cybersecurity within software development processes. In practice, this includes alignment between the development and other business teams and finding strategies that can adapt to emerging threats and market dynamics. A useful resource is the US government’s Defence Innovation Board (DIB)’s Software Acquisition and Practices (SWAP) report, which includes some example processes to follow. Lean on standards In addition, a vast pool of industry-wide knowledge is available, such as the community-led Common Weakness Enumeration (CWE) Top 25 list of the most widespread and critical vulnerabilities. Likewise, the Open Web Application Security Project (OWASP) Top 10 covers critical security risks for applications based on analysing exploits most used by hackers and the level of subsequent damage. A further resource is the Security Technical Implementation Guide (STIG) from the Defence Information Systems Agency (DISA) which shares guidance on how organisations should manage security software and systems. Coding standards also have a role to play here, which act as sets of rules or guidelines that essentially say ‘do this’ or ‘do not do that’. Returning to the earlier SQL example, a coding standard might instruct users to use only constant strings when creating SQL statements. In aerospace and defence, relevant coding standards include MISRA and MISRA C:2012, which ensure that code created in C and C++ programming languages is safe and secure. Furthermore, the MISRA C:2012 addenda include guidance on mapping to the secure coding rules within ISO/IEC TS17961:2013 and CERT C. Perforce’s survey
found that 76% are required to comply with at least one security, quality, or functional safety standard. Automation All these resources help mitigate the impact that getting up to speed on security can have on software developers, who are individuals typically stretched for time. A further way to reduce the workload is to automate security-related processes as much as possible. For example, coding standards would be time-consuming to apply manually, so they are increasingly implemented using static analysis tools. These tools examine source code for vulnerabilities and gaps in compliance while it is being written, in background mode and giving developers confidence that they are developing securely. Visibility Beyond in-house teams, building security risk management into development processes across the supply chain is vital. That needs to be based on visibility, enabling newly procured software to be validated and existing code to be audited. By using a continuous security and code compliance platform, aerospace organisations can have a single pane of glass and a centralised store of analysis data, trends, and information for codebases. Consequently, developers can view trending data or project quality and compliance purposes, as well as create supporting reports. Putting all these measures in place helps create a foundation ready for the increasing complexity of software alongside the likely growth of cyberattacks. While software development is just one element of security, it is an important one and needs to be prioritised. Ensuring that vulnerabilities or compliance issues are detected and remediated as early as possible, without slowing down software development time, goes a long way to addressing the security challenges that aerospace and defence face.
39 ELECTRONICSPECIFIER.COM
Powered by FlippingBook