By now, you've undoubtedly seen the news articles about how hackers were able to gain control of a Jeep, taking control of its software and remotely manipulate its transmission, radio and air conditioning. It led to a recall of 1.4 million vehicles, and raised all kinds of concerns.
Granted, this got the headlines…and well it should have. But the issue is far greater than merely the ability to remotely gain control of a car. At the very time that pundits and visionaries are proclaiming a new era where myriad devices are interconnected through the so-called Internet of Things (IoT), these kinds of infrastructures, where everything is linked with everything else, should give us serious cause for pause… and for concern, unless we approach the development of the underlying software in the proper way.
Increasingly, software is everywhere. It's not only in our automobiles (it's been estimated that almost one-third of the cost of building a car comes from software), but also in our personal devices like watches and smartphones, in our appliances, and more. If we're not diligent, all of that software is susceptible to being hacked. In fact, the FDA recently told healthcare organizations to stop using a drug infusion pump for precisely that reason; the agency said software vulnerabilities “could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies.”
Its proponents see the Internet of Things as being filled with incredible opportunities; ironically, hackers perceive it to be the same way. Sitting hundreds, or even thousands, of miles away, they could be in position to cause all kinds of damage to individuals, to companies, or more. The concept of the “remote hitman” must not be regarded as something merely from a James Bond movie.
There's a significant challenge here for developers: they must make the conscious decision to incorporate security at every level of the software, from development through deployment and beyond. In the Internet of Things, security must not be treated as a mere bolt-on – it must be foundational.
It must begin with the quantifiable analysis and measurement of an application's source code. Flaws in the software and violations of industry-based standards increase the chance that software will fail, perform below expectations or be susceptible to a malicious breach. These types of risks can negatively impact a company's revenue, costs and reputation.
That's especially true with mobile applications becoming more and more prevalent. A recent survey from a global analyst firm indicated that 94 percent of all major companies have either already implemented, or are planning to implement, a mobile strategy. We've seen too many instances where mobile applications are rushed out the door to meet the immediate, perceived customer demand; faults or glitches in the software are addressed with, “We'll take care of it in the next rev.”
No. That simply must not be allowed to happen. The Internet of Things makes it more vital than ever for structural quality and security to be the primary consideration. And, it's the business management that needs to measure and take ownership of this risk.
The argument will undoubtedly be made that this kind of foundational approach is too time-consuming, too expensive and too unrealistic in today's economy. We would argue the exact opposite. We would suggest that the technical debt incurred by trying to “make do” with, and add onto, existing software configurations may ultimately far exceed the cost of doing it properly. The solution, technical debt analysis, involves the use of defined metrics to identify problem areas in the current codebase, resulting in increased costs. This information helps in determining how these items can be addressed in order to decrease maintenance costs, heighten productivity, and keep software risk minimal within your organisation.
It's with all this in mind that developers must ensure that their source code is strong and of high quality from the very start, via quantifiable analysis, and benchmarking against best practices. They must also learn to think like hackers, and scrutinise the code for potential vulnerabilities and entry points. Management needs to scorecard structural software risk and build this data into decision-making and budgeting. That's true whether the application is business-based, consumer-focused, enterprise, mobile in nature, or embedded in a remote device like a car.
The Jeep hack may have gotten all the headlines, but it won't and mustn't stop there. With the coming emergence of the Internet of Things into the items we use on a daily basis, software quality is increasingly no longer only about bits of plastic and wires and codes. Through the IoT, hackers now have access to far more than our computers.
If we're not diligent, hackers could easily become the future hitman from afar.
Contributed by Lev Lesokhin, EVP, Strategy, CAST.