Improving Software for Society
IAP Initiatives
With the objective of Improving Software for Society the IAP has developed several initiatives including FURST and CyberCOP. Please see information about both below.
FURST
The IAP has always engendered a professional approach to software development and members agree to be bound by its code of conduct. In an effort to sum up the concepts forwarded in books such as Clean Code and Code Complete, the acronym FURST has been created that will help in producing good software. This stands for FIT for purpose, UNIT tested, REVIEWED, STANDARD and TIMELY.
• FIT FOR PURPOSE (FFP) – does what it is supposed to do precisely.
• UNIT TESTED – it can be relied upon.
• REVIEWED – check that it is well written compliant code that is easy to understand.
• STANDARD – complies with all coding, UI, security and other applicable standards.
• TIMELY – produced in time.
INTRODUCTION TO FURST
Although producing a piece of software may not be the same as producing a more tangible product, for the purpose of a better understanding of FURST, the production of a car can be used as an analogy.
A car needs to be built within a certain time limit in order for the manufacturer to make money; otherwise there wouldn’t be any profit in the venture. The car is produced to certain requirements such as engine size, number of doors, top speed and utility such as the ability to fold down the back seats, to meet the customer’s needs. Besides being attractive, reliable and easy to drive, the car also needs to comply with government or agency standards so that it is safe to be driven on public roads. The manufacturer will employ a quality engineer to carry out or review a series of tests to ensure that the car meets both its own requirements and any standards laid down, such as health and safety and road worthiness. The quality engineer may use a ‘rolling road’ to test the car. The rolling road can be used for basic testing such as to ensure the brakes work efficiently and reliably and the exhaust emissions meet their own requirements and exceed the government standards. However, the rolling road cannot determine how the car handles in general, such as if it is a soft or hard ride, or how it handles corners. The rolling road is not part of the car and is never delivered to the customer, but without it there would be great difficulties in asserting that different sub systems or components within the car work to the prescribed limits.
A software product has to be built and delivered within a certain time for the venture to make money. The software will have a set of requirements that have to be met for the product to be useful to the customer (Fit For Purpose). These may include normal features, utility features and it will need to perform within certain limits. The software will also need to be reliable, easy to use and comply with certain standards such as security, safety, and look and feel amongst others. Unit tests are written to test the basic functions of the software to assert that it meets or exceeds the requirements and any compulsory standards. A reviewer will look at the product to ensure that the quality and other standards have been met and to check that the tests are valid and pass. However, the unit tests don’t test the behaviour of the whole system. The unit tests are not delivered to the customer, but without them it would be difficult to prove the basic functions work as expected.
PROFESSIONALISM FURST
The attitude of a non-professional programmer may be:
– As long as the requirements are met, that is where the commitment ends – what is ‘fit for purpose’ anyway?
– Why bother with unit tests, following standards and having someone else reviewing what I have done?
– I may not be here when the software is delivered or needs upgrading, so it doesn’t bother me.
– It will get completed when I finish, so why worry about time?
The whole purpose of software is to produce value for the customer. It must also be reliable and trustworthy, while for the company developing the software it must be easy to maintain and enhance.
Keeping code clean can help in optimising development, as the source code is always kept in a fit state, thus allowing flexibility for a change in priorities or requirements. Code is read many more times than it is written, so it must be easy to understand and change and it must look like all the other code i.e. standard and coherent. If it is changed, you have to be sure you haven’t broken anything and unit tests can help with this. Having other developers review all these points will ensure that these ideas are adhered to. All this must be done in a timely manner. Thus a professional attitude brings a lot more responsibility, but also produces rewards in creating a better quality product.
Using FURST you can check if there are Unit Tests in place, if the code has been Reviewed and if it has been completed within the current sprint (Timely). Standards are ones that an organisation demands to be followed, so the review can ascertain this. However, Fit for purpose may be more of a problem!
You can show that the code meets requirements and acceptance criteria and this would go a long way towards FFP. In an agile process this would be the minimum for any ‘Definition of Done’. However, the code could be a big ball of mud (because of legacy code) and at this point in time it works. Is this fit for purpose? It may not be reliable as a small change may take a long time to get working and its intent is not transparent i.e. it is not easy to read, understand or change and like beauty, it may not be pleasing. Therefore FFP, unlike the others is more subjective. You can say definitely if it is not FFP when the application doesn’t meet requirements or acceptance criteria, but the converse is not necessarily true.
FURTHER READING
To find out more click on any of these articles to download:
• The ‘Attractiveness’ of Source Code
• The Costs of Unattractive Code
• Why is Compealing Important?
• A Summary of Professionalism FURST
CyberCOP
The Cyber Security in Software Community of Practice group (CyberCOP) meets regularly and is currently creating some outline documents to explain cyber security, and how software developers, businesses and the public can improve how they handle this subject on a day to day basis.
ESSENTIAL READING
Click on articles to download:
• Cyber Security Developers Checklist
ELEMENTS OF IMPLEMENTING CYBER SECURITY
Cyber security is about the management of risk to cyber resources. A cyber resource is anything the organisation holds by electronic means and may consider valuable (to the business, its clients, or personnel) that a hostile entity might consider of value and worth stealing, amending, or interrupting. Cyber security includes the protection of inter-connected systems, including hardware, software and data from criminal or unauthorized access as well as the measures to achieve this.
This is not intended as an exhaustive or detailed list but if these areas are addressed you will be 90% of the way to a secure system. Specific situations may require an individual approach.
User Controls: Policies and technology to authenticate and authorise legitimate users access to data permitted within the levels of privilege assigned to their role.
Firewalls and Intrusion Prevention and Detection: Network appliances that implement either stateful or stateless checking measures; that is rules-based filtering and packet inspection or rules-based filtering relating to source/destination IPs and protocols respectfully; firewalls can be appended by modular enhancement, or supported by separate network sensors that use signatures, to detect-and-prevent or detect-and-allow malicious activities undertaking vulnerability exploitation across a network.
Malware Protection: Signature and heuristic-based tools to detect suspicious behaviour that is indicative of mal-code or malicious characteristics; such as: Trojan downloaders, viruses to infect hosts and/or worms to subvert and self-proliferate.
Equipment, Network and Data Security: Defence-in-depth measures applied end-to-end between endpoints and server-side backends promoting the protection of information assets at-rest and in-transit.
Remote Access: An access method whereby users can remotely and securely access information assets where the user and/or endpoint are uniquely attributed to users and verifiable through assigned keys or tokens; examples are Secure Shell or Transport Layer Security (TLS).
Data Loss Prevention Backups and Disaster Recover: The importance of having an effective and tested Back-up solution can not be understated. Whether in the case of hardware breakdown or some form of outside interference. To be able to quickly and efficiently restore lost of corrupted data is a must for most businesses. A very effective defence against ransom-ware and many viruses, is to simple dump the corrupted drive and replace with a clean drive and copy of the data.
Practicality and Usablility: A key point to an effective security system is that it must be practical and usable for the end user. Any system which adds undue complexity or a large number of steps which the user can not see or understand the benefit of will either be ditched in favour of business efficiency and practicality or a ‘way-round’ will be found by those who have genuine access rights. A good marker might be the level of security needed to physically access the PC and perhaps walk off with it.
Updates and Patch Management: Supportive regime that ensures that applications and operating system components are updated with regular and critical security patches in order to pragmatically and retrospectively remediate theoretical or known flaws or weaknesses; thereby reducing the attack landscape.
Identity and Access Management: Policies and technology to authenticate and authorise legitimate users access to data permitted within the levels of privilege assigned to their role.
Data Encryption: Is the protection of data using cryptographic mechanism whether stored at-rest through applications – such as databases and on disk using file or volume encryption – or whilst in-transit – using point-to-point methods such as TLS or Internet Protocol Security to authenticate each end and encrypt traffic.
ENCYPTION STANDARDS WITHIN SOFTWARE – by David Smith MIAP
Within the development of software, the developer should always bear in the forefront of their mind that everything should be encrypted where possible and moreover were practical.
Databases: Where possible always ensure that the data held within the database is automatically encrypted either by using your own secure algorithm or by using an industry standard encryption protocol.
Do not assume that your data is secure just because the MySql or SQL server is stated as being secure, if possible, I would even recommend splitting databases into multiple parts – so maybe have three separate servers all containing a third of the data – only when the data is pulled from all three separate servers and assembled does the completed record set exist.
Using rolling encryptions is a fantastic way to ensure that your data is secure, if you implement this approach from the word go when designing your software life becomes easier, every time the data set it written or updated use a completely new encryption key – so rather than simply securing that entire dataset with a given key have each record within the dataset using a random key.
Combine that approach with splitting your dataset over say three separate servers will not only enhance your data protection but also means that if anyone does breach a server, they only have a third and even that has different encryption keys for each record within the data set.
It’s not always possible to implement such an elaborate scheme of data protection, some will say having three servers is expensive – and it is, but if you construct the data procedure from the word go, you could always have three databases hosted on your single server to begin with, then moving to actual physical servers later wouldn’t require any massive updates or changing of codes.
A developer must create their software secure from the ground up.
Any additional encryption such as that provided by the hosting domain server for example will simply provided an additional layer of security which isn’t a bad thing.
Memory Dumps: Hackers are getting much smarter, software for grabbing your data is also evolving at terrifying rate, we are never going to be able to ensure that our data is never stolen – but what we have to do is make it as hard as possible for that to occur.
Memory dumps are where data loaded into your computers memory can now be stolen and uploaded in the background without your knowledge (having a good network security protocol can not only alert you to this happening but also stop it in its tracks).
So, don’t simply extract the data from your databases and have it sitting around in your computers / devices memory, if you must hold data in memory ensure that this data is still encrypted, the only time this data should be unencrypted is when you visual show it to the end user or when it is printed out on paper.
Keeping your data encrypted until it is required whilst in memory will not only scupper attempts to steal the data via a memory dump but will simply give the attacker a block of useless data should they actually manage to steal the memory dump data.
Screengrabs: You should where possible try and disable the user’s ability to screen grab in order to protect the data shown on the screen. With various computers / devices this simply isn’t possible.
But one thing that you can do, is within your software – setup a timer and say every 2/3 seconds, simply clear the clipboard memory. This in affect will allow someone to screen grab but by the time they have gone into the other application – such as paint, word, etc – the data they captured has vanished from the clipboard, so it gives the effect that the ALT & PRTSC has been disabled when it hasn’t.
Warning: Of course if the user needs the copy & paste function whilst your application is running that will present massive issues and therefore you may not be able to do this, I personally disable the timer when the application is minimised or hidden and reactivate it when the user is using or viewing the sensitive data.
Data Theft: Assume your data is going to be stolen, it’s the developers job to protect the data as best as possible, so if someone does have it – its just rubbish and they cant do anything with it.
SECURING REMOTE AND HYBRID WORK ENVIRONMENTS
We thank Field Effect for letting us share their thoughts on coping with the new way of working. Since Covid-19, we have seen a substantial cultural change in how people work and from where they choose to do this. Protecting our businesses and employees has never been more important and this checklist may help you.
The definitive checklist.
Your workplace has changed. Your cyber security should too.
Whether you have an entirely remote or hybrid environment, employees need access to the same hardware, software, and data without compromising security. This creates a big challenge since cyber risks increase when staff work in new locations. Use this checklist to learn cyber security best practices that will protect your teams, data, and systems.
Do you have a remote work cyber security policy?
Develop and distribute a policy that outlines the cyber security risks associated with remote work, such as using public wi-fi, and safe computing behaviours that reduce them.
Are employees using strong, unique passwords for every account?
Employees should choose longer passwords with upper and lowercase letters, numbers, and symbols. We also recommend using passphrases — strings of words that make sense to the user only. Password manager tools can help keep track of complex credentials.
Have you enabled multi-factor authentication (MFA)?
Multi-factor authentication takes username and password security further with an extra step to validate the user’s identity. This added protection is key for modern work environments, limiting the risk of credential stuffing, brute-force password attacks, and more.
Do employees know about major cyber threats?
Make sure everyone understands the techniques and possible signs of common cyber attacks, such as phishing. Education is vital for all staff, but remote workers should know the signs of an attack, including markers of a malicious email, and how to respond correctly.
Are all hardware, software, and cloud applications configured correctly?
Ensure all IT infrastructure is configured to optimize cyber security, such as managing user access permissions, automatically applying updates where possible, and more.
Have you developed a bring your own device (BYOD) policy?
Set cyber security and appropriate use guidelines if employees use personal and company-issued devices. Specify what devices and applications are allowed, password rules, who owns device data, and more.
Have you implemented a mobile device management (MDM) solution?
A mobile device management (MDM) solution is a great way to oversee company-issued devices remotely. It helps you implement policies that secure, monitor, and manage mobile hardware, as wellas remotely lock or wipe devices if lost or stolen.
Have you set up a remote access VPN?
A corporate virtual private network (VPN) creates an encrypted connection that enables secure remote access to your network. Configured correctly, a VPN allows employees to safely retrieve, store, and share data from anywhere.
Have you developed appropriate use policies?
Hybrid work environments require new tools, such as web conferencing and instant messaging, to enable safe productivity from any location. Develop an appropriate use policy outlining how to use (and not use) new company technology.
Are machines set up to encrypt data?
Encrypting data translates it into a code that’s only readable to those with the key, reducing potential device loss to only the cost of the hardware and not the information on it.
Are you regularly backing up data?
Saving and uploading data using a cloud back-up service ensures that critical data is encrypted andaccessible to authorized users only.
Do you provide regular cyber security training for employees?
Provide employees with regular cyber security training to keep the subject top of mind. It could be as simple as emailing best practice tips or working with a learning provider to deliver online sessions.
Do you have visibility across your IT infrastructure?
Implement a cyber security solution that monitors networks, endpoints, and cloud-based services 24/7. This in-depth visibility makes it easy to protect devices, assets, and users no matter the location.