Best practice to improve mission-critical software during a crisis  – through improved software development practices

By Gordon Saladino, Senior Sales Engineer, Perforce

Utilities, communications networks, defence, and finance systems are all critical to keeping up and running as much as possible during natural disasters and other crises. One thing they all have in common is their increasing dependency on software systems to ensure continued operation. And that means that the code used to create all that software must be robust and able to cope with sudden peaks in demand and secure against cyberattacks. Techniques such as continuous testing, automated code inspection, coding standards, adopting a more security-first approach, and making the most of available knowledge sources can contribute to a safer, more secure software development environment.

Baking security into software’s creation is vital, because one of the primary ways vulnerabilities are created is during the software development stage, caused by errors when source code is written. For example, when an SQL statement is made using unvalidated input, this could lead to an attacker being able to read or modify confidential data or execute arbitrary commands, such as deleting all the information in the database. During a crisis, a cyberattack is the last thing anyone needs.

However, the risk of cyberattacks aside, having the confidence that systems that support citizens and their country will be fit for purpose during a crisis is also paramount. Vulnerabilities that creep in during the software development process can lead to performance issues, malfunctioning, or even downtime at a later stage.

This is why ensuring that software development processes supporting all these critical systems are rigorously managed and as securely as possible is essential. Also, many organisations and firms involved in these markets must ensure that their software development processes comply with compliance requirements.

However, the increasing complexity of software can create challenges, plus traditionally security has not been an inherent focus for developers (though this is changing). However, there are multiple steps that organisations can take to address the situation.

Look at the bigger picture

Start by looking at the bigger picture and examining all software sources internally and across the supply chain. Areas to scrutinise include legacy code, which can present issues, especially in the absence of prior testing or current technical support. Open-source software has significant benefits, but its easy accessibility makes it a target for malicious attacks. Likewise, unless commercial off-the-shelf software (COTS) is supported with strict requirements and proper testing, integrating it into mission-critical systems could present some risks.

Once this bigger picture is identified and understood, the next stage prioritises cybersecurity and code quality as part of software development processes. In practice, this includes alignment between the development and other business teams and finding strategies to adapt to various situations.

Continuous testing

Also consider applying a continuous testing strategy, a practice that plays a vital role in improving code quality and security throughout the development lifecycle. By continuously testing software, organisations can identify and address issues early, reducing vulnerabilities and enhancing overall robustness.

In addition, continuous testing helps identify and address vulnerabilities in various software sources, including legacy code, open-source software, and commercial off-the-shelf software. By rigorously testing these sources, organisations can mitigate risks and ensure the resilience of mission-critical systems.

Using industry-wide resources and standards

In addition, teams can draw on a vast set of industry-wide knowledge, for example, the community-led Common Weakness Enumeration (CWE) Top 25 list of the most widespread and critical vulnerabilities. Similarly, the Open Web Application Security Project (OWASP) Top 10 covers critical security risks for applications based on analysing exploits most used by hackers and the level of subsequent damage. There are also tests standards and frameworks available, such as the OWASP Testing Guide. Plus, some vertical markets have specific security standards of their own, such as DISA ASD STIGs for defence, and PCI PA-DSS for financial services.

Another valuable resource is coding standards, which are, in essence, sets of rules or guidelines that say ‘do this’ or ‘do not do that’. Returning to the earlier SQL example, a coding standard might instruct users to use only constant strings when creating SQL statements. However, coding standards are not just for security purposes; they are often used as part of compliance processes or purely to enhance to quality of code being created. Coding standards are a great way to encourage more consistency of ‘clean’ code across an organisation’s development teams.

Popular coding standards include MISRA and MISRA C:2012, which ensure that code created in C and C++ programming languages is safe and secure. Furthermore, the MISRA C:2012 addenda include guidance on mapping to the secure coding rules within ISO/IEC TS17961:2013 and CERT C. Some organisations also write their own in-house coding standards, and, in addition, it is common to use more than one coding standard.

Automation

However, it is essential that observing known vulnerabilities and working towards coding standards does not demand unreasonable amounts of extra effort and time from developers, who typically already over-stretched resources. So, ways must be found to automate code quality into software development as much as possible.

For instance, coding standards would be time-consuming to apply manually, so they are increasingly implemented using static analysis tools, which examine source code for weaknesses, non-conformity, or and in compliance. This takes place while the code is being written, in background mode, giving developers confidence that they are developing code that adheres to guidelines.

A further automation example can be found within continuous testing. By automating various tests, such as unit, API, UI, security, and performance tests, organisations can efficiently execute tests at every stage of the development lifecycle. This automation saves time, provides thorough test coverage, and enhances the reliability of mission-critical software.

Visibility

By using a continuous security and code compliance platform, organisations have a single pane of glass and a centralised store of analysis data, trends, and information for codebases. For instance, continuous testing provides real-time insights into code quality, compliance, and project trends. As a result, developers can view trending data for project quality and compliance purposes, make more informed decisions, and have access to valuable data for report generation.

Beyond in-house teams, it is also vital that code quality and risk management extends across the supply chain, based on visibility, so that newly procured software can be validated and existing code audited.

Shift Left

Another method increasingly used to improve code quality and security without slowing down development velocity is Shift Left. Over the past few years, the Shift-Left movement has been growing, based on the theory that by doing as much as possible in the software development life cycle (SDLC), costs and rework later on can be minimised.

Many teams already embrace Shift-Left via CI (Continuous Integration) systems, encouraging the integration of changes as early as feasible. This also fits within DevOps, of which DevSecOps is an extension, whereby the focus shifts from the development and operation of systems to include security and robustness. Now, there is also the concept of Shift-Left security, applying the same Shift-Left principles to security practices and requirements. Both static analysis and continuous testing tools align with the Shift-Left security concept, ensuring that security practices and requirements are addressed early and throughout the development process.

All these processes and tools will help support the quality, safety and security of code-supporting critical systems during a crisis. Of course, this is just one of many aspects to consider, but in a world increasingly dependent on software, it is increasingly important and deserves a solid foundation that prioritises code quality and security.

Gordon Saladino has over 40 years of experience in software technology. He has applied his skills and experience to the analysis, design, development, debugging, packaging, and delivery of software products. Currently, he is a Solutions Architect for Klocwork, and provides post-sales technical account management, which includes: planning, guidance, production deployment, custom configuration, custom integration, product tuning, dynamic problem solving, issue citing, training, system health checks, proactive product support, ROI management, and customer relationship management.