Hackers, vandals, voyeurs, hacktivists, thieves, organized crime groups, industrial espionage actors, terrorists, nation-states, and others have all discovered the power of our software-intensive, network-connected systems and have learned how to attack and compromise those systems to achieve their objectives. The systems we’ve built are under attack constantly, and seldom does a day go by without a report of a large-scale attack making front-page news. A small subset of headlines from just one week in August 2014 includes
- “FBI, Secret Service Investigate Reports of Cyber Attacks on U.S. Banks” (Reuters)
- “Home Depot Confirms Hack; Cyber Attack Could Affect Customer Credit Cards” (Huffington Post)
- “300 Oil Companies Hacked in Norway” (The Local)
- “Cyber Attacks Cause Data Loss to Community Health Systems” (SPAMfighter)
- “ISIS Claims Sony Cyber Attack, Makes Bomb Threat Against Senior Exec John Smedley” (news.com.au)
Software developers must understand that the software they produce is likely, no matter what its function, to become the target of an attack at some point. It may provide the attackers a path to the data they want, access to other parts of a system or network, or a place to hide malware that will be activated later. Increased awareness of the problem is leading to a reinvigorated emphasis on software assurance with a corresponding increase in methods, tools, and techniques to improve the “built-in” security qualities of newly developed software.
This talk will characterize the evolving threat and provide pointers to methods, tools, technologies, and forums designed to help software developers produce software able to withstand the attacks it is sure to face.