CentricStor Ceph Digital Cinema Security

Security

Internet Security is Key when developing Software and Applications

Today the Internet Security of software modules and Applications built from those modules is a crucial requirement to minimize the risk for suffering from attacks. Attacks through the Internet have become rather complex and intelligent and need to be addressed thoroughly. As a response the organisations developing software need to focus right at the start of a development cycle on the analysis of potential risks and Security issues and their product roadmap must cover security improvements over time. The challenge is to not only think about the functions a product should provide but also about the functions the product should deny, when being attacked. Unfortunately it is still common to concentrate development efforts only on functionality and only at a later stage, when a product is used and distributed an attempt is made to fix security issue by providing patches to the users. This type of 'Patch and Pray' strategy is insufficient and inferior to a proper risk analysis from start.

ITXperts support their customers with decades of profound experience in developing complex application and system software, which extends to Cyber Security for modules and software products. Any organisation who want to include Cyber Security at the start of their development cycles should consider and review the following questionable statements:

A basic product set (small function set) does not need any security modules

Time to market and other requirements may lead to a decision to ignore security functions during the initial development cycle. Frequently the first customer version is targeted to find out how the product is accepted and how chances are to sell the product. The risk of an attack is thought to be quite low initially. However, the chance of being attacked is a real issue and believing it might not happen is no good idea, even for the initial version of a product with well restricted features. Only if the product launch is unsuccessful security may never become an issue, but as soon as the product is widely accepted it will be attacked without any doubt.

Limiting the focus on the required function set is sufficient

Most often the software developed includes all essential requirements, but no attempt has been made to include Security strategies or tools to detect attacks and protect against malicious access. Modern "Agile Software Development Methods" attempts to achieve a ready to use implementation. As a consequence there is a trend to leave out any non-functional parts and neglect Security issues. But your software should really provide security and protect the integrity and confidentiality of your client's data. Also, it should be robust and handle any "Denial of Service" (DOS) attacks gracefully. At a very early phase you should rule out that even light attacks can cause CPU or memory or network load and lead to congestions or bottle-necks. In short , your software needs to be aware of all well-known and frequent attacks.

Penetrate and Patch

This addresses a Security 'Management' technique which essentially applies security fixes to a software after an attack has taken place. Such a strategy refers to the above mentioned practice of "features over security" and this is not the way your software should be built. Clearly, you do not know if the very first "strike" is fatal to your software and your customers.

Learn about fundamentally insecure implementations

In client-server implementations the server may never trust the responses and announcement of their clients. Clients can be replaced by malicious software and cause distruction.

Never trust a mobile client, never believe that a web client is sending

  • confirmed, trustful Data. Any hacker can modify JavaScript applications to send any destructive or malicious data.
  • can make the server execute functions which should never have been performed. Any clever developer can built a chat client, who may cause an action like 'delete this picture' or work around a constraint like 'don't copy this movie'.
  • only such server requests as specified in the user interface. Be prepared that all messages of the implemented API are tried.

Build heavy duty, robust server security methods and don't believe that you know all about the behaviour of the client, even when the (true) client was built by your team.

Responsibility of Organisations

Despite the fact that many organisations already provide an internal structure to take care of Cyber Security and although there may be a number of responsible persons on different levels of the organisation, as it happens there is still quite often confusion about who should controls a product's development cycle.

  • who identifies potential risks and evaluates how these should be addressed in the requirements.
  • how can you find out if all of these requirements are covered by your organisation, given the fact that there is lack of Cyber Security specialists understanding both, the technical part and the administrational part of the problem.
  • who is responsible to insure these requirements are worked on by the developers.
  • who is responsible to take the necessary actions after a security breach.


Get an thorough understanding how the software is used by your customer

As mentioned earlier on, the aim is not only to provide the required function set but also to rule out that any hidden functions can be activated. To achieve this the supplier need to know how a customer may use the software, at a first stage and later on, in a always changing environment with new usage pattern. A number of questions need to be considered

  • Is the customer's Trust Modell different from your own modell ? Is the customer unable or un-willing to use data encryption when transferring data, despite the fact that the shipped system may depend on encryption.
  • A system operation is not a person to be trusted ! And you realise the your system has no protection against attacks from inside.
  • Your customer may not be in a position to upload his data to the Cloud.
  • Access to the system at the customer's premises may not be secured. Potential competitor may have physical access to the hardware the system is running on.


Taking Care

Internet Security should be taken into account right from the start of the development process.
Integeratio of Cyber Security at the early stage of the software development is key to insure that the software can only be used as per the specification.


Services provided by ITXperts

Jointly with her core theme, Security as part of the software and product development, ITXperts offers further Services options to their customers:

Gateway Security

  • Firewall and VPN
  • SSL in VPNs
  • Intrusion Detection and Prevention System
  • Load Balancer
  • Router and Switches

Endpoint Security

  • Viruses and Malware Extraction
  • Volume Encryption
  • Application Control
  • Device-Management

Content Security

  • HTTP and HTTPS Filtering and Proxies
  • Spamfilter
  • Email Signature and email encryption
  • Anti Malware Gateway

Monitoring & Alerting

  • Monitoring of IT Security Environments and Systems
  • Alerting vial Email or SMS
  • Security Information and Event Management (SIEM)

Mobile Security

  • Securing Mobile Devices (Mobile Phones, Tablets, etc.)
  • Mobile Device Management
  • Secure WLAN Access

Authentification

  • PKI Solutions using certificates
  • Network Access Control
  • Protection against unauthorised access to Hardware
  • Client Compliance Check