We live in a word that is dependent on tech. I’m going to generalise , but before Covid, when I look around in restaurants, bars or social gatherings many of us have our heads down (alas I am a culprit too). Heads down unhappy? No, heads down seeing what exciting video, news or popup WhatsApp/Facebook/Text message would appear.
I’m not one to look at dancing cat videos, but many of us are streaming music and full movies on Netflix or Amazon Prime. The point being is that we are demanding devices with larger capacity and fundamentally faster download speeds.
At the time of writing, working remotely is the norm. Businesses who were reluctant on their employees working from home suddenly need their employees to have decent Internet speeds. People can tether on their mobile phones at 4G speeds, which may sometimes exceed their home broadband landline speeds.
We want more!
There is always a lot of buzz announcing 5G in a country. Why not, 5G could reach up to 100x faster than 4G. This delivers what we need an interconnected society. 5G is the thing right?
Great, when does it arrive?
Implementing any opportunity has its risks and 5G is no exception. 5G will require deployment in a country’s mobile networks. News from the BBC suggest that Huawei failed to tackle security flaws in its equipment. We were already aware that there were vulnerabilities, but it suggests even recently that the National Cyber Security Centre (NCSC) saw no evidence of improvement.
It states “The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities”
What does that mean? That is so concerning for such a huge company.
I do not know the extent of its “infancy”, but as an assessor/auditor and putting my software developer hat on, it’s not that hard to implement security considerations in the software development process. Traditional stages may include Requirements stage, Design stage, Coding stage and Testing stage that can include security considerations. For example, what security requirements do we need? How do we design with threat modelling? How are we coding with secure coding guidelines and training and testing securely with vulnerability scanners and penetration testing methodologies?
Even with agile methods, you can still implement security considerations and checkpoints.
Document what you do and do what you document.
The report also highlighted “poor coding practices” and a “range of evidence” employees were not following Huawei’s own practices and guidelines – putting my assessor hat on, it’s a fail.
So what can we learn from this?
There are several things we can take away as lessons learned. First, ensure whenever you are engaging with a third party that you really do your due diligence. It’s not just about whether they have business insurance and appropriate size of company, but also have you considered how that third company handles information (perhaps your information), how they will design your software, how will they implement technology etc.
Secondly, whether you are outsourcing your software development to a third party or have in-house development, ensure that there is a formalised development process in place with suitable considerations for developing software and checkpoints to ensure software is not rushed out the door with known vulnerabilities. Document what you do and do what you document.
Third, whenever you have your systems tested from a vulnerability or penetration test perspective, remember that application testing is separate from network testing. Be clear in your scope what is to be tested. As it is harder to break through network defences, attackers are leveraging vulnerabilities in software to get in.
Hope that helps and remember…
“Security is not a compromise”.