Le 15 Juin 2016, CAST a organisé un workshop au tour du sujet Security By Design à l’hôtel Hilton, Paris La Défense avec des intervenants de SOLUCOM, ATOS, BNP PARIBAS CARDIF et CAST en présence d’une trentaine de participants du secteur public, finance, énergie, éditeurs de logiciels, etc.
CAST security workshop
La sécurité des applications reste un enjeu majeur à la fois en termes de fréquence, de gravité et d’impact, non seulement pour le business mais également pour le DSI lui-même. Selon l’étude PWC “le nombre de cyber-attaques recensées a progressé en 2015 de 51% en France, alors que les budgets sécurité des entreprises françaises ont augmenté en moyenne de 29%, soit autant que les pertes financières estimées imputables à ces incidents (+ 28%)“. Plus particulièrement, les analystes précisent que les problèmes de sécurité sont à 75% liés à des failles d’architecture logicielle ou le « design » des applications, c’est-à-dire à la manière dont les composants et applications sont interconnectés.
Panel Discussion at the 2016 Software Risk Summit Software risk has historically been overlooked as a security concern by business leaders, and companies have paid a high price as a result. Remember the JPMorgan hack of 2014? That cost the bank more than $6 billion. RBS has paid £231 million for their IT failures as of two years ago. The Target breach? The retailer posted a write down of $152 million. Or, more recently, Jeep controls being taken over by hackers, and a similar incident with Toyota-Lexus having to fix a software bug that disabled cars’ GPS and climate control systems? That costs the manufacturers valuable consumer confidence points and can seriously damage sales.
So I was thrilled to know that the topic for the first annual Software Risk Summit in New York was indeed just that, software risk. I had the pleasure of moderating the panel discussion with esteemed guests from BNY Mellon, the Software Engineering Institute at Carnegie Mellon, the Boston Consulting Group and CAST. But beforehand, I was able to sit-in on the keynote by Rana Foroohar.
High-capacity network bandwidth has become more widely available, and we have quickly tapped into every last inch of its capacity. More devices are built with wi-fi capabilities, the costs of mobile devices are going down and smartphones are in the hands of more people than ever before. In fact, Apple might have already exhausted the market and is seeing drastically lower sales forecasts for the iPhone.
We are moving into an era in which virtually any device will connect to the Internet. Phones, fitness trackers, dishwashers, televisions, espresso machines, home security systems, cars. The list goes on. Analyst firm Gartner estimates that over 20 billion connectable devices will exist worldwide by 2020. Welcome to IoT—the Internet of Things. A giant network of connectable things.
In April, Google experienced a fairly significant cloud outage, but it was hardly news at all. In fact, it was likely the most widespread outage to hit a major public cloud to-date. The lack of coverage is strange, considering the industry’s watchful eyes like Brian Krebs and others. The even more recent Salesforce service outage seems to have received more attention. But despite the fact that Google seems to have gotten away with a “pass” this time, the glitch brings renewed attention to the fact that tech players large and small are continuing to deal with software robustness issues.
Google Compute Engine was down for a full 18 minutes around the 7 o’clock hour Pacific Time on April 11, disconnecting all users in all regions. This was a Google cloud outage, and the root cause was a network failure. Network outages appear to be an ongoing challenge for Google, this one being the biggest yet.
With the advancements of both cloud and mobile technologies, security remains a hot topic for every company. The number of reported instances of security backdoors due to faulty code or hardware continues to stagger. A recent article by Wired has brought forth another one of these unfortunate issues for a big player: Juniper. This technology giant has been providing networking and firewall solutions to companies, corporations, and the government for a number of years.
As a leader in networking technology, the last thing you want to hear is that a tech powerhouse like Juniper has found an application security problem. Two security issues were identified after a code review session outside of the company’s normal evaluation cycle. Security continues to remain a primary concern as more companies, government agencies, and even individuals rely on technology providers to manage data or maintain smooth operations.
IT leaders from throughout the federal government discussed the value of how software measurement can positively impact their development process at CAST’s recent Cyber Risk Measurement Workshop in Arlington, VA – just outside of the Washington, D.C. area. The event brought together more than 40 IT leaders from several governmental agencies, including the Department of Defense and Department of State, system integrators and other related organizations. The group shared their experiences in how their respective organizations are driving value to end users and taxpayers.
Measuring and managing software quality is not just about compliance with government mandates, but rather around the proposition that strong software quality, security and sustainability are paramount. However, compliance remains essential. Three primary points around software compliance voiced by attendees were:
In 2014, the IT infrastructure at the Federal government’s Office of Personnel Management (OPM) was upgraded from a security rating of “material weakness” to one of “significant deficiency,” according to The Wall Street Journal’s CIO Report. Which means that the OPM, even after upgrading to mitigate software risk, wasn’t up to snuff. That is – to put simply – unacceptable. It is also both a dismal and infuriating fact to learn – especially for those who were among the 21 million present and past Federal employees, revealed last week, to have had their Social Security numbers and other personal information stolen in the recent data breach.