Berlin, November 8, 2020. The digitalization processes in business and society mean that software and software-based products are becoming increasingly ubiquitous. In addition to the associated possibilities and opportunities, dangers and threat scenarios must also be taken into account. The digital association Bitkom points this out in its new guide “On the security of software-based products”. The guide examines fundamental questions in detail on the topic of security in the production and use of software. “Well-functioning, secure software is the decisive component for future value creation in companies,” says Bitkom expert Dr. Frank Termer. This makes it all the more important to establish a general understanding of software security that goes beyond the specialist community. “The guide is intended to make a contribution to this,” says Termer.
From Bitkom’s point of view, the following seven key questions in particular need to be answered in a way that is generally understandable:
1. How is software produced?
Many people are usually involved in the development of software. First, requirements for a digital solution or an IT system to be developed must be obtained. Then the architecture of the software is planned. But only in a few cases do developers have to write code from scratch. They can often rely on code libraries or use open source software . Software therefore often contains elements from other software and is adapted and developed further for specific use. Before release, software is ideally subjected to a stress test and tested with customers under real conditions. Even after release, the software must be revised regularly.
2. Why do software updates need to be performed so frequently?
Software must be adapted regularly in order to offer users the best possible product. Therefore, regular updates are needed. These are usually functional updates . These are necessary, for example, when service maintenance is carried out or when manufacturers release new software functions. Security updates are also occasionally carried out to respond to new security vulnerabilities in the software.
3. Why is software never completely error-free?
Modern methods and tools for software development reduce the potential sources of error. However, as long as software is created by people, errors cannot be completely ruled out. The scope and complexity of modern software prevent such errors from being completely found using analytical methods, such as tests, with a reasonable amount of effort and eliminated before the software is used.
4. How do manufacturers still ensure high software quality?
Software development companies achieve the most comprehensive quality possible in the development process through “security by default” and “security by design.” Three aspects are essential here: Firstly, appropriate security tools should be integrated into the actual software development. Secondly, security should be anchored self employed database as a universal code culture in the areas of software development involved. Thirdly, team organization. Instead of placing individual teams in silos next to each other, a holistic cross-functional team should be created that can jointly drive the three components of development, operation and security and cultivates an open approach to knowledge.
5. What happens if software errors cause damage?
If software errors occur, manufacturers can be held while power bi offers a liable under the principles of product and producer liability even if there is no contractual relationship. However, in these cases the manufacturer is only liable if a software error has caused damage to those legal assets that have a special value according to the legal system, such as health or property. In order to avoid liability, the manufacturer must eliminate the danger resulting from the software error. However, it is difficult to establish general principles for this.
6. How can users recognize “secure” software?
Clear proof of secure software can never be provided. asb directory However, recognized certificates can be an indicator of high-quality software. However, it cannot be ruled out that software still contains errors and security flaws despite certificates. Another indicator of high-quality software is if there are no entries for the software in the relevant databases for security vulnerabilities. These include the OWASP, CWE, NVD, CAPEC, CVE, VDBs databases. In addition, software should always be purchased from trustworthy suppliers.
