Security and Quality Reviews of Software

1
Security and Quality Reviews of Software The
First Step in the development of a solid
foundation in e-Security Presented by
Antonio Robinson, President Pioneer
Technology www.pioneertechnology.com

2

• Why Security Reviews of Software
• Software Development History
• Move to Offshore
• Pros and Cons of Offshore Development
• IP Issues
• Security
• Legal
• Security Issues
• Embedded System security
• Application System security

3

• Software Development History
• The Software industry did not start with
  Microsoft.
• Since the 50s code development has focused on
  production quality results.
• Software industry embraced QC as a foundation.
• Remember such companies as DEC, Apollo, HP,
  Unisys and many more.
• From Simple Peer review to complex team reviews,
  QC was taught and implemented from DOD to
  commercial.
• Computer Languages come and go, but QC of the
  application is forever.

4

• Software Development History (Continued)
• Software development, and the QC tools grew with
  the industry.
• From Mainframe down to the PC and now back up.
• Web applications
• SCADA applications
• Embedded systems

5

• Move to Off Shore
• So when did the problem of software quality
  began?
• Software always had bugs, BUT, the software
  industry in the United States was focus on
  releasing a quality product. Time to Market was
  not an issue, a quality product was.
• Software development was sent off shore not for
  quality or faster production, but for COST
  Reduction (increase Profit).
• With development now measured on cost factors
  something was left behind.
• When you pay for a VW you will not get a Ferrari.

6

• Move to Off Shore
• World Hot spots in Code Development
• India
• Red China
• Russia
• Yugoslavia

7

• Move to Off Shore Hot spots
• While many legit efforts can be discussed in
  these countries, you must also manage
• India Mumbai Crime syndicate, IP Theft, Back
  doors, Spyware
• Red China TRIADS, YAKUSA IP Theft, Industrial AND
  Military espionage.
• Russia Russian Mafia, IP Theft, Industrial AND
  Military espionage.
• Yugoslavia Russian Mafia, IP Theft, Industrial
  AND Military espionage.
• Same can be said for Korea, and a few
  other exotic locations. Cyber Crime and Cyber
  warfare happens worldwide.

8

• Pros and Cons of Off shore Development
• IP Issues IP theft Who are you going to take
  to court?
• Lets discuss your fantasies about winning in a
  foreign court system India? China
• Security Backdoors, spyware, oh My!
• Legal IP issues, Legal issues here in this
  country regarding HIPAA, SOX, FISMA issues..
• Business people wake up and smell your lost
  profits!
• Government agencies beware of a cyber Pearl
  Harbor.

9
Security Issues We touched
on a few of these issues such as Crime
syndicates, IP Theft, Back doors, Spyware,
Industrial and Military espionage. Some economic
numbers from Pinkerton Consulting
Investigations (2006) might help frame out the
cost of this issue.. IP theft costs
U.S. businesses an estimated 250 billion per
year, and 750,000 American jobs. The World
Customs Organization and Interpol estimate the
total global trade in illegitimate goods
increased in 2004 to more than 600 billion.

10

• Security Issues
• Security issues also range into
• Competitive losses.
• Lost of Personal records (Medical, SSN, etc)
• Lost State or Military secrets.
• Examples
• Lost Veteran Service and Medical records,
• Lost TS information from Federal labs
• Etc

11

Security Issues The total amount or
value of state contract offshoring cannot be
estimated, because federal agencies and most
state governments do not know where their
contracted-out service work is performed.
Commercial efforts are wary of releasing
information because of home market impact (Buy
American). Because subcontracting is so
common, federal agencies, states and in some
cases commercial concerns are often unaware of
the exact identity and location of the company
that is ultimately performing the hands on work.
Contracts awarded to U.S. firms assume that the
work will be done domestically, but then the
company subcontracts to an offshore firm to
maximize profit. Again, not a
technology issue, but a move to maximize
profit.
12
Security Issues Companies
that appear to be domestic sometimes are not. Do
your Due Diligence. Check out who the company is
and where they do their work. Assign contract
clause with SOW to ensure work of sensitive
application is done onshore. At the end
of the day how are you going to bring charges
of IP theft against a company in China or
India?
13

• Embedded System security
• Embedded systems are the life blood of
  today's society!

14

• Embedded System security
• Embedded systems control such critical
  systems ranging from the safety systems of a
  Nuclear power plant, Cruise missiles, to the
  engine control in your automobile. Did I forget
  to mention water treatment plants, traffic
  lights, chemical, oil and gas refineries,
  pipelines, to avionics in aircraft and much more.

15

• Embedded System security
• The first Gulf war opening air battle showed the
  weakness embedded systems have for tailored
  backdoors and viruses.
• Iraq air defense was shut down minutes
  before our planes crossed the red line. The
  Antiaircraft (AA) sites were blinded.

16
Application System security
Do we need to discuss the weakness in
banking systems, manufacturing ERPs, Insurance
systems, Medical, Robotic lines, Web based
e-commerce? They are critical to our
society, in many cases the structural support for
our economy. We have the same issues
here as before, but in much greater volume.
From Spyware, backdoors, to poor quality code
software quality reviews are not an option.
17
Cyber Pearl Harbor Counterterrorism
agents are grappling with a new type of security
threat--a malicious piece of computer code
capable of disabling the world's critical
infrastructure, from power grids to air traffic
control networks. "If you're a
terrorist, you don't even need the bombs. If you
can control the (power) grids, if you can do it
from a computer somewhere, you can do a lot of
damage," U.S. congressman Tom Davis, a co-chair
of the U.S government's Information Technology
Working Group, said. ZDNet
News November 5, 2004
18

• Software Testing
• Software testing is the process used to
  help determine the quality, completion, scope,
  and security of developed computer software.
• White-box and black-box testing
• Alpha, Beta, and Gamma testing
• Manual and Automated System testing
• Regression testing
• Test cases, suites, scripts
• Application specific

19
Software Testing Software testing
must become a national concern, both for
Governmental Agencies AND Commercial critical
infrastructure owners. Automation and
the application of super computer technology can
provide the USA an edge in addressing the shear
volume and liquid nature of the problem.
20
References NIST (National Institute of
Standards and Technology) http//csrc.nist.gov/
NSA
http//www.nsa.gov/ NASA Software assurance
processes http//satc.gsfc.nasa.gov/a
ssure/assurepage.html    ISO 27001
http//www.iso27001security.com/ Michigan
InfraGard
http//www.infragard.net/chapters/michigan/ Infor
mation Assurance Professionals Association (IAPA)
http//www.iapa-glc.org
21
References - 2 Lawmaker Beware of
cyber-Pearl Harbor ZDNet
News November 5, 2004 Unrestricted Warfare,
China's Master Plan to Destroy America by Qiao
Liang Wang Xiangsui (Ret Colonels in the
People's Liberation Army) Other Non Technical
Books that will help you understand software
security issues Art of War by SunTzu The Art of
War by Mao Tse-Tung On Guerrilla Warfare - by
Mao Tse-Tung, Clausewitz, Nonlinearity and the
Unpredictability of War Any historical works on
FM Rommel and Gen. Patton
22

• Questions?
• Pioneer Technology
• Providing Professional Engineering and Computer
  Services
• www.PioneerTechnology.com
• Information 517-546-2855 ext 12
• Michigan offices located in Clinton Twp, Detroit,
  Howell.
• Other offices in DC and Scottsdale Az.