Blog

As a CTO, especially in China, are you worried that you will not be able to resume work? Or perhaps you are desperately trying to manage your team working from their homes to ensure that product is launch meets the deadline? Indeed, the outbreak of COVID-19 in Wuhan has a profound impact on social and economic development far beyond our expectations. This sudden public health incident can be likened to the daily issues faced by businesses today as it is just like a software security incident caused by vulnerabilities and taken advantage of by computer viruses. What are the lessons we can learn from this?

Is the cause internal or external?

Software developers, product managers, QA professionals, and CTOs are paying close attention to product launches every day with most of their focus resting on meeting product requirements and deadlines. This need for speed to market however, means they often ignore security concerns with vulnerabilities lying in the code silently and undetected. QA teams follow their test plans as fast as they can which often leads to a lack of thorough analysis of the application. With a successful launch, everyone is happy until a vulnerability is maliciously exploited by an attacker. A vulnerability that could have been caught early through a secure coding approach or by using the right source code analysis tools. There is a famous saying from an ancient Chinese doctor Bian Que: “if we do not treat illness at its early stage, it will only get worse”. In other words, the best physician is the one who prevents his patients from becoming sick, not the one who tries to save them when they are already near death. This is true when it comes to software compliance and security and the reason why ‘shift-left’ in the SDLC for securing applications is becoming widely adopted. A big lesson is ‘Don’t leave security until the end’.

What exactly causes software security incidents? In his famous essay ‘On Contradiction’, Mao Tse-Tung claimed the basic cause of development in a thing is not external, but internal, and lies in internal contradictions. The first action and sometimes the only action by organisations is to secure themselves from external attacks. They tend to pay a lot of attention on anti-virus software and firewalls for external intrusion prevention. However, not enough attention is placed on training developers is code quality and secure coding. You can break down a company firewall but if the code is secure, there may be no opportunities for the attacker to exploit their intrusion. An insecure application can lead to compromised data, loss of service, denial of service, systems damage, all of which costs companies millions of dollars. The lesson here is to ensure security by design is a standard way of working.

Does your company have a “nucleic acid test” with high accuracy?

It is reported that the diagnostic accuracy of the nucleic acid tests for COVID-19 is not 100%, which means that results could include a mix of ‘false positives’ and ‘false negatives’. A false positive is a test result which wrongly indicates that a particular condition is present. A false negative is a test result that indicates a person does not have a condition when the person actually does. For the ‘false positive’ cases, medical professionals will have to spend more time and resource to check each patient one by one. The “false negatives” on the other hand lead to severe implications in the continuing spread of the virus once patients are no longer confined. This is reflected in the process of software application security testing (SAST) where developers need tools that provide a high level of accuracy in the identification of defects with fewer false positives and false negatives. Static code analysis is used to identify defects early in the SDLC with the help of secure coding standards such as CERT where a wealth of worldwide knowledge is used to help avoid writing insecure code. A question all CTOs and developers should ask themselves is do we have the best “nucleic acid test” to locate vulnerabilities in the system. The lesson here is to ensure you have the right static code analysis tools for the job.

How to avoid a virus breakout?

1. Stick with the quality-first mindset. We should focus on the improvement of the quality management system, regardless of the input-output ratio in the short run.

2. Increase investment in safety and quality management systems, improve the secure coding mentality and skills of developers so they check for vulnerabilities whilst implementing code. Although it requires investment at an early stage, it enhances the company’s overall performance and its ability to respond to risks. Security by design should become second nature to any developer.

3. Strictly control the quality and use static code analysis tools that have high accuracy in identifying defects and potential risks in the software as early as possible.

At Xcalibyte, we use in-depth compiler technology to analyse code quality for compliance and vulnerability detection. Our solution, Xcalscan, can be seamlessly applied to the software development process to help developers identify defects earlier and with greater accuracy.