Ensuring the security of engineering software

By Anthony Nicoli

Commercial organizations and government agencies are common targets of cyber-attacks due to the valuable information they possess. In one dramatic example, information related to the F-35 Joint Strike Fighter, P-8 Poseidon patrol plane, C-130 Hercules cargo plane, Joint Direct Attack Munition (JDAM) bomb, and future Australian Navy ships was ex filtrated from an Australian defense firm in November of 2016 (Figure 1).

Figure 1: Information about the F-35 Fighter was stolen in a notable cyber-security breach

The increased frequency and severe consequences of cyber-security breaches have alarmed large corporations around the world. As a result, companies are taking greater measures to secure their information throughout their supply chains.

Securing Enterprise Software Solutions

Preventing cyber-security breaches is crucial to a company’s reputation and to the successful operation and growth of its business. Manufacturers around the world have conceived and implemented multi-faceted secure software development programs, strengthening cyber-security for all the software they use. These programs place an intense focus on reducing the risk and cost posed by security vulnerabilities in third-party software through testing and secure development practices.

Security teams around the world have observed an evolution in hacking techniques in step with security improvements being implemented. As companies reinforced their own networks and software, hackers began targeting their supply chains. Supply chains tend to provide much larger attack surfaces for hackers because large companies use a lot of third party software. In response, companies are expanding their security programs to collaborate specifically with software vendors on establishing uniform procedures for software security.

A common first step is to incorporate a security assessment of the vendor’s products into the procurement process. The results of this assessment can be compiled and supplied to a company’s management to inform their decisions during the procurement process. After establishing a record of clean security reports, vendors and their customers will collaboratively evaluate the vendor’s secure software development lifecycle (S-SDLC) process as a whole. In some cases, vendors may demonstrate processes that are robust enough to deliver products routinely that meet security requirements.

The Vendor Perspective

Advanced security capabilities are a necessary feature for cutting-edge engineering software in today’s market. More and more companies are asking their software vendors to perform systematic verification of the security of their software. Yet, there are important factors for vendors to consider when investing in improved product security.

Security is traditionally a concern of IT or a dedicated security department, not each of the software development teams. Security is also a personnel problem, meaning that HR will be involved to create and host trainings on how to handle data properly (figure 2). Overall, the push for more secure software will require teams to collaborate that have not done so previously, creating a need for new processes. Furthermore, enhancing the security of sophisticated software requires a holistic approach. The vendor must add security features, like data encryption or an audit trail, and harden their software by identifying weaknesses in the code and resolving them. In sum, a vendor’s decision about investing in product security should be based on the impact that it may have on the sustainable growth of their business.

Figure 2: A holistic approach to secure development includes training personnel to behave with security in mind.

Securing the Enterprise’s Future

Today, companies are investing in the development of robust, comprehensive, and powerful safeguards against the numerous cybersecurity threats of the modern world. This is the culmination of the critical observation that cyber-criminals began targeting not just major corporations, but their supply chains as well. As a result, companies are beginning to work directly with their software partners to establish robust and consistent security practices across their supply chains.

This enhanced focus on security is driving software vendors to adopt new processes and approach security from a more holistic perspective. Achieving greater security may require previously unrelated teams to collaborate, and an investment in new technologies. Vendors that commit to improved security, however, will differentiate their products by providing better protection to their customers, and themselves.

To continue reading, please download our whitepaper Ensuring the security of engineering software

Leave a Reply

This article first appeared on the Siemens Digital Industries Software blog at