Last time we discussed how we can promote security for code and customers by using tools such as Klocwork. In that article, we discussed how security is a prerequisite and must be considered as we design and build our software products. What that article did not address is whether there is a difference between code safety and security.
In recent years, the terms have been used interchangeably, promoting confusion. The Motor Industry Software Reliability Association (MISRA), which has been traditionally seen as a safety standards body, has issued MISRA C: 2012 Amendment 1, reflecting an evolving understanding that safety and security are related. Since the 1980’s, functional safety requirements have been one component of safety that attempts to address the safe management of likely operator errors, hardware failures, and environmental changes.
Do these subtle differences between the terms matter?
Understanding code security and safety
Safety is the freedom from unacceptable risk or harm. Security may be defined as the prevention of illegal or unwanted interference with the intended operation or inappropriate access of a system. Or, another way of thinking about this is that safety is the state we are trying to achieve and security is the means to achieve the state of safety. This is not mere semantics to security professionals who look to balance confidentiality, integrity, and availability when designing systems. Security is about ensuring our software functions correctly while under attack and we do this with great measures, by practicing good programming techniques such as validating input from untrusted data sources.
In an earlier blog, “What I learned at Mile High Agile 2017,” I discussed the need for holistic thinking and focusing on the system to build the right things, right. How do we consistently deal with the hundreds of requirements that exist in MISRA or ISO 26262 when we also know developers are coming to our teams poorly equipped and supported to cover these requirements? How do we ensure that policies are consistently applied?
When it matters, our clients consistently turn to a defense in depth philosophy that involves the deployment of effective processes, training, and tools. Tools have many advantages that include being able to find hundreds of issues very quickly and the ability to automate otherwise error-prone manual activities. For example, tools may be embedded into your Continuous Integration process to find issues soon after check-in. Finally, tools promote consistency across an enterprise that involves many teams made up of many engineers.
While the distinction between safety and security is important to understand, it can be very challenging to translate that understanding into implementation.
Klocwork makes it easy for an organization to adopt security and safety requirements into their software development by providing an industry-leading set of checkers and reports. So you don’t have to train developers and create new tests.
Innovate with confidence.
Join our upcoming webinar with industry experts discussing security issues, “Cyber Security: It Starts with the Embedded System,” by registering here