LAS VEGAS - Christine Gadsby, director of Product Security for BlackBerry, has a message for organizations developing software: It's easier to fix bugs in development than after a product is generally available.
Gadsby shared her experience and some templates during a session at the Black Hat USA 2018 conference titled, "Stop that Release, There's a Vulnerability!" The session was one of ten must-see sessions we noted earlier this week.
While BlackBerry was once best known as a hardware vendor, Gadsby said BlackBerry in 2018 is a software security vendor. Every release is tracked and managed at BlackBerry in an effort to help reduce the potential attack surface.
Software Readiness Review Program
At the core of BlackBerry's efforts is the company's Software Readiness Review Program, which Gadsby said is a process that other organizations can benefit from as well. With the program, organizations add security reviews to the release criteria for a software release.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"Having a software readiness review program lets you understand the cost-effectiveness of security," Gadsby said.
While it's important to ship updates as needed, she said, a fix in the build stage of software development is much easier that after a product has already been deployed.
So what are the core steps in setting up such a program?
- Get Support. Gadsby said it's important to have a team behind software security and a commitment to build security into the release cycle.
- Define Vulnerability. It's critical to have a common language across an organization to understand and define what a vulnerability is and how severe different issues might be.
- Create Standards. Gadsby suggests that organizations understand the security posture of each software release and tag vulnerabilities for ease of identification. She also emphasized that it's important to have standard templates for communicating and tracking information on software bugs.
Should you ship it?
Going a step further, one of the templates that Blackberry has created is what Gadsby referred to as a "Should We Ship It?" calculator. The calculator is a spreadsheet that includes revenue impact, ease of discovery, impact to the business and the potential for media risk among the contributing variables.
"At the end of the day, product teams ship products," Gadbsy said.
While having a software vulnerability process built into the development cycle might add some challenges, it has a positive result in the end. Gadsby noted that on average, BlackBerry has found an average of 8 potential vulnerabilities every day.
"This is an ongoing process, so focus on making progress," Gadsby said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.