It seems like recently, software development and the
security issues that go along with this process have been in the news
lately. I am assuming that it is perhaps
because of the heightened tensions on a global basis, and the much-increased
threat of more Cyberattacks originating from Russia and other close by
regions.
But whatever it is, having secure source code in any type or
kind of application that you write and compile these days must be as safe and secure
as possible.
If not, there are many backdoors that can be left wide open
which simply means easy penetration for the Cyberattacker. Now, there probably will never be a thing as
100% secure code. But the efforts must
be undertaken now to try to make this goal a reality perhaps even.
I have written about this topic quite a bit before, and even
other people have written about and published about this very topic offering their
own suggestions. Some of these have
included using the code development check lists that are available from both
the OWASP and NIST, and from, me I have recommended Pen Testing source code at
a modular level.
Now, there might be a newer tool that could come out to help
software developers. It’s already in
existence in other industries, but its application for Cybersecurity would be
totally brand new. This tool is called Electronic
Design Automation, or “EDA” for short.
It is currently being used in the electronics industry to
help develop new chips, semiconductors, etc.
But the key here is that it is used in real time, not after the fact.
So, the thinking here is could the EDA be used like a virtual
assistant of sorts to help a software development team track down issues in their
source code in real time as well, thus perhaps even saving more time? In order for this to happen, there has to be
some key issues that need to be considered first. They are as follows:
1)
Lots of data must be used:
The thinking here is that as the source
code is being developed, the EDA can offer feedback on a real time basis as to the
robustness of it. But in order for this,
it must first make use of either an AI or ML based system, and for that matter,
it must be sophisticated. Then, literally
tons of data must be fed into first so that it can build profiles as to what a robust
line of source code should look like.
From here, further data must be continually fed into it so that it can then
provide some valuable recommendations to the development team. In this regard, various sorts of metrics and reporting
tools have to be created and deployed into the EDA system in order for this
kind of feedback to actually happen.
Also, various dashboards will have to be created for quicker viewing.
2)
Understanding the context:
By this, I mean the EDA has to understand
what the goals are of the Web app that is being developed. For example, is it an online store? Is it a knowledge repository? Is it just a basic website? Is it a place where a Web scanning tool will
be hosted to scan for a client’s website for any weaknesses? As you can tell, there are a ton of
applications that the EDA system may have to learn before it can really provide
any real feedback. An idea here is to
use the principles along the lines of Siri and Cortana. You can simply talk to
them to tell them what you want done. In
this instance, you could potentially tell the EDA system in your own voice what
the Web app is all about. But again, this
will take quite some to develop further.
3)
Understanding intent:
In this regard, the goal here is for
the EDA system to understand why the software developer wrote a particular line
of code the way he or she did, versus another, more standardized approach. This can be classified as a behavioral mechanism,
which even today AI and ML systems can only offer at best at a very simplistic
level. We don’t need the system to tell the
software developer at each and every step what should be done better. It should only be done when it is absolutely
necessary. But for something like this
to happen, the EDA system is going to have think and react like another
software developer, and this is still something far off into the future.
4)
Providing feedback:
It’s one thing for the EDA system to
point out to a software developer where there is a security gap or where line
of code could perhaps be made better. Then
it’s the other thing for it offer suggestions and recommendations as to how
that line of code could be written in a much more robust fashion or how it could
be made more secure. This is again following
the example of Siri or Cortana. For
example, if we are driving, and either one of them provide a recommendation for
a restaurant, and we don’t like it, they will offer other alternatives. The reason that it can do this is that over
time, they have learned about you by building up a profile about you over a
long period of time. This is also the
hope for any future EDA system. In fact,
there are even certain areas within Microsoft Azure that will even offer how to
best remediate the possibilities of being attacked by a threat variant.
5)
It must keep learning:
Just as much as the Cyber Threat
Landscape is evolving, so is the software development world. Now I am by nowhere even remotely close to
being one, I know from my conversations with others and even visiting the forums
that there are new ideas and innovations that are always coming up. Therefore, the EDA system has to keep up with
all of this well, across all of the development languages, in order to provide
the best recommendations possible, assuming that we are even close in theory to
approaching that stage. For example, it
will have to learn all about the Python, PERL, PHP, etc. which are most popular programming languages
today.
My Thoughts On This:
Keep in mind that all I have written here is just in theory alone,
but the way the world is going, it is quite possible that using an EDA system
in this way could become a reality. And
if it does, it could be of great help, because all of this will be done on a
real time basis. In other words, there
will be no need to take certain downtime to run a Pen Test on a source code module,
etc.
Perhaps the best way to get started first is with #1. We must first attempt to get the EDA system
to learn as much as it can first, and then start with providing very basic
feedback at least on a ranking or some of other categorization scale (such as
#1 being not secure at all to #10 being most secure as possible, etc.).
No comments:
Post a Comment