Press Release: Digitalisation without Information Security has no Future
DeepSec conference warns of unsafe software and insufficient knowledge of professionals.
The months in which we had to learn to deal with the effects of various quarantine measures on our everyday lives have decisively emphasized the importance of information technology. Although the Internet has long been an integral part of work and everyday life in many industries, the physical restrictions due to the Covid-19 pandemic could have been significantly more drastic for public authorities, the economy and society without modern telecommunications. Audio, video and chat platforms have prevented things getting worse. The call for more digitalisation, however, lacks the most important ingredient – information security.
Published software is safe, isn’t it?
In the world of software development, there is an unofficial saying that a product is ready when you can install it. The rest will all work itself out during use. That may not be the rule – some industries do take quality assurance very serious. Often popularity is the enemy of quality. The distribution of software is unfortunately not a suitable metric for the content. In the case of the teleconferencing platform Zoom, it was also easy to see that this product was actually intended for a completely different purpose or a different target group. In addition, errors are common in software and can only be eliminated with careful tests, processes for detecting malfunctions and feedback loops back to the code. This path takes time that start-ups don’t necessarily have. As a result, the state of security in published or available software is at best unknown.
Before a program can be available, there must be design, prototypes and finally an implementation. The first requirement is the so-called secure design. If fundamental mistakes are made at the beginning, the later implementation cannot change anything about this anymore. Metaphorically speaking, a car with a bamboo body can never meet certain challenges. It’s the same with software. The second requirement is secure coding, i.e. programming with methods that minimize errors in the software. That’s the theory. The practice looks different.
Secure Design and Coding are not optional
Secure design / coding are not features that can be easily switched on or off. They have either been taken into account or are missing. There is no middle ground. In addition, secure software does not offer any immediate advantages over a similar, faster developed, more popular and cheaper solution. The code works in both cases. The difference only comes to light in exceptional situations. Advantages that you never see in normal operation are very difficult to promote psychologically. In the case of Zoom, it was easy to point out the failures in the area of secure implementation, but the weaknesses were previously used daily in all installations worldwide without critical questioning. Too few questions were asked. The same problem can often be found in living rooms and offices worldwide. Entire industries rely on products that are very complex, interact through networks, and may never have been designed for the tasks they perform today. Document creation and processing is another common and widespread example.
Call for “Digitalisation!” and support Training!
In order to provide digitalisation with information security, one runs into a didactic dilemma. You can only learn methods of secure software development and secure design if you have a basic understanding of how computers work, common programming languages (plural, i.e. more than one), network protocols and operating systems. The basic principles cannot be grasped without prior knowledge. For this reason, IT security topics are almost exclusively electives that are taken after basic training. Practice in companies confirms this. According to recruiters from major Silicon Valley tech companies, security specialists must have worked in at least three different areas for several years to be considered for an information security job. This approach is completely diametrical to the direction of many training centers. The much-cited shortage of skilled workers in the field of digitization often results in trained people who have learned little in record time – from a security standpoint.
Successful digitalisation therefore requires solid and sustainable training for programmers and all other specialists in the software development process. Constantly mentioning bits and bytes, using the Internet or constantly summoning the omnipotence of apps is not enough for a secure future. Superficiality is not a virtue in IT security.
DeepSec 2020 in the Name of Science
This year’s DeepSec In-Depth Security Conference wants to make its contribution to information-secure digitalisation. There will be lectures, trainings and exchanges of experts. The purpose is the further training of specialists in information technology in order to make the existing hardware and software secure in the future. The offer is aimed at the areas of activity of product development, software development, management, system administration, research and teaching. In addition, an Internet of Things (IoT) hacking village will be built together with partners. You can talk to experts directly and see that many smart systems are anything but secure.
Programs and bookings
The DeepSec 2020 conference days are on November 19th and 20th.
The DeepSec trainings take place on the previous two days, November 17th and 18th.
The DeepINTEL Security Intelligence Conference will take place on November 18.
The venue for the DeepSec event is The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.
You can order tickets for the DeepSec conference itself and the training sessions at any time under the link https://deepsec.net/register.html.
Please note that due to planning security we are dependent on timely ticket reservations.