Software is spreading like the plague. It's infecting phones, cars, household appliances, medical gear, office equipment and even TVs. And where software spreads -- such as to Supervisory Control And Data Acquisition Systems (SCADA) -- Internet connectivity is sure to follow.
The challenge we've seen in recent years -- even in highly controlled environments -- is that these systems are susceptible to attack just as traditional applications are. This creates risk and opportunity. The risk is that critical systems will be found vulnerable, perhaps a Stuxnet-like attack strikes crucial systems in the U.S. or Europe. And therein resides the opportunity for security and software quality and assurance firms to reach a growing new market.
Software development testing firm Coverity and embedded and mobile software firm Wind River have integrated Coverity's security development testing platform with Wind River's embedded software system. In addition, Coverity will provide an edition of Coverity Static Analysis, pre-configured for Wind River Workbench, which means it'll support both Wind River Linux and Wind River's VxWorks real-time operating system.
The idea, explains Zack Samocha, senior director, product management at Coverity, is to provide a way for development teams to bring security into the actual embedded development process and squash security-related bugs as the code is being written. Samocha makes an argument that has been long held among software security and assurance vendors: that catching flaws early in the development process is more cost effective than letting them slip into production.
"Development firms are always under pressure to produce, and get their products to market," says Samocha. "This integration helps them to catch and fix security vulnerabilities quickly and early in the process, without slowing down development," he says.
Embedded developers are going to need all of the help they can get. VDC Research Group recently published a report that shows more than 50 percent of engineers who were surveyed expect the products they'll be developing in two years will have web components. That's a jump of 20 percent from current projects underway today.
"Anyone who develops embedded systems should take a lesson from what happened with software and operating system vendors in the past decade: they became targets of both bad guys and security researchers who evaluated those systems for flaws," says Pete Lindstrom, research director at Spire Security. "There's no reason to believe SCADA and other embedded systems will be any different."
With that in mind, Coverty also recently announced the formation of its Coverity Security Research Laboratory. The Coverity lab will investigate the cause of both existing and new security related defects, Samocha says.
George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter at @georgevhulme.
Read more about critical infrastructure in CSOonline's Critical Infrastructure section.