Guarding the code: How safe is your software?
With the continual evolution of communications, software has become the backbone behind the tools we rely on every day. From computers, phones, and tablets to the enterprise systems that power our shopping, our businesses, and our government, software integrity is becoming more and more essential to our productivity and safety.
It used to be that software would be developed by a small team of dedicated engineers who took the project from concept through implementation, distribution, and support. In contrast, today’s software is far more complex, and is often developed by teams numbering in the hundreds (or thousands), working on multiple continents, assembling a mixture of in-house, open source, re-used, and/or purchased source code – over a development lifecycle that can easily span a decade.
Once developed, this modern software is distributed through a variety of channels – via website downloads, pre-loaded onto hardware at a contract manufacturer (most likely off-shore), or copied onto CDs, DVDs, USB drives, or other media before it arrives in your facility.
Each company, person, place, network, or hard drive the software transitioned through is an opportunity for malware and security vulnerabilities to be introduced – all before the software gets into your environment. And even though there’s plenty of attention given to on firewalls, virus scanners, VPNs, password protection, and other tools to protect our corporate and home networks, the software we’re running on those networks is only as safe as the weakest link in its supply chain.
It’s impossible to change how the software you’re using today was developed, and few organizations have the time or expertise needed to evaluate the security processes used to handle software during its development and distribution.
However, a new class of Independent Validation and Verification (IV&V) services are emerging to help confirm that software is free of malware or other vulnerabilities.
The network is evolving, the software supply chain is expanding, and network-level software integrity requires more attention as a component of our larger security ecosystem. Even when software is complex and development teams are large, IV&V and other software evaluation methods can help ensure secure enterprise operations.