search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
Embedded Technology Supplement


can also provide a substantial financial benefit, since fixing defects during a later phase, such as in production, could cost substantially more than finding vulnerabilities early in the SDLC. According to the Systems Sciences Institute at IBM, the cost to fix a bug found post release is roughly 15 times higher than one detected during implementation. *


So, preventing as many of these flaws as possible from getting to either of those stages will help reduce the risk of unexpected expenses later. However, a balance needs to be struck between better embedded security and the addition of processes that could negatively impact project timescales, so careful thought needs to be given to the tools and techniques used to apply Shift-Left Security, as well as establishing a ‘security- first’ mindset within teams.


Mindset matters


Above all, security tasks need to become an automatic part of the daily developer workflow, and this is good news for team members. By detecting and dealing with errors early, less time is spent on security flaws later when remedial work is usually


more costly. Shifting security to the left can also improve final product quality, better collaboration between teams, and even accelerate time-to-market: all this is good for team morale and helps turn security into a help rather than a hindrance.


In addition, it is essential to implement Shift-Left Security training as a continuous process across all relevant teams, not just developers, but delivery teams and QA too: the more eyes on the software, the better those eyes know what to look for, the better security can become.


Capturing and reusing knowledge Fortunately, there is a vast pool of security knowledge available, both for free and for a fee. The former category includes the community-led Common Weakness Enumeration (CWE) Top 25 list of the most widespread and critical vulnerabilities. Similarly, the Open Web Application Security Project (OWASP) Top 10, which covers critical security risks for applications based on analysing exploits most used by hackers and the level of subsequent damage. Coding weakness lists like CWE Top 25 and OWASP Top 10 are extremely valuable resources, giving users rules and guidelines


that have been created and honed over many years by people with extensive experience in the space. Think of coding guidelines as assistants saying ‘do this’ and ‘do not do that’, and giving developers the confidence that they are creating more robust and more secure code. Other examples of security focused coding guidelines include CERT and DISA STIGS. Coding standards also support industry compliance and are mandated in some cases, for instance, as part of IEC 62433.


Automating security checks If implemented manually, coding standards can take up a considerable amount of review (code review) time, which is why many organisations opt to use static code analysers or static application security testing (SAST) tools to automate the process. These software tools inspect code in the background, looking for specific defects (such as violations of secure coding guidelines). SAST tools are also relatively fast to run, without impacting feedback loops, and can even check software elements before it is being run, so they can be used right at the very early stages of the SDLC.


Conversely, while dynamic application security testing (DAST) tools have a hugely beneficial role to play later in the cycle, they are often much slower and more complex to operate, and require the system (typically the whole system) to be executed, making it harder to implement dynamic testing at an early stage. Finally, while tools and processes have a massive role to play in implementing Shift-Left Security, it is — above all — an approach, a mindset, an acceptance and a commitment that security must be at the heart of software development and as early as possible. Moreover, more secure, safer code contributes to risk reduction, satisfied users, and market reputation. Shift-Left Security can even improve the lives of embedded software developers, assuring them that they are creating products that are fit for purpose in the broadest sense and without adversely impacting their daily workload.


www.perforce.com


* https://www.researchgate.net/fi gure/ IBM-System-Science-Institute-Relative- Cost-of-Fixing-Defects_fi g1_255965523


EMBEDDED - DESIGN - MANUFACTURING - ENGINEERING BOOK TODAY!


WITH FREE ACCESS TO THE MOTORCYCLE MUSEUM FOR BOTH EXHIBITORS AND VISITORS!


17th January 2024 - National Conference Centre, Birmingham 


ONE DAY TABLE TOP EXHIBITION www.cieonline.co.uk. Components in Electronics July/August 2023 29


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66