Critical Communications World 2018 was held in Berlin. The event gathered cyber and physical security experts together and offered several stages for different speakers, including many world top critical communications professionals. My current employer Deltagon Group participated in the event in co-operation with the Finnish security cluster Critical Communications Finland.
I was truly honored to be one of the panelists discussing a very interesting topic: “Criteria for Mission-Critical Applications”. The panel was hosted by Airbus Marketing Director Tapio Makinen. Other panelist were: Jyrki Rantonen – Insta Defsec Oy, Jani Lehtinen – Secapp of Magister Solutions, Esa Suutari – Sunit and Marko Saukkola – Jolla.
During the discussions Tapio asked what kind of products the panelists’ organizations are developing and where the vision for the product came from in the first place. He was very curious about what the criteria of mission-critical applications were and what the most important things customers were demanding was.
Quite soon the discussion led to the topic of what the best practices to handle research and development of mission-critical applications were.
At the end of the panel a couple of audience questions were asked. One interesting question was “How can customers ensure that proprietary (or closed-source) software does not contain backdoors or that the overall security is at a high level?”. The question was something that I have been thinking about a lot, so I was eager to answer it and had an extensive answer ready. A separate blog post could be dedicated for this altogether, but in a nutshell here are the most important points:
- First of all, to fulfill the criteria of mission-critical applications internal development process and infra has to be solid and well documented (not to forget skilled developers).
- Internal quality and assurance process has to have many steps and code changes must be approved by different isolated departments/stakeholders.
- Third party audits must be in place and regularly organized (of course the third party must be well known a trusted)
- If the application is used by the public sector it is highly recommended that National Security Authority does the regular checks as well.
- Finally, customers can do black-box security testing by themselves or hire security experts to do it.