Oracle announced new application development capabilities to enable developers to rapidly build and deploy applications on Oracle Cloud Infrastructure (OCI).
Recent studies suggest that 90% of the world's digital data were generated over the last two years alone. As the global community continues to create more and more data, securing them from the reach of unauthorized users continues to be a major challenge. Hardware-based security is widely recognized as a best practice for protecting the confidentiality, integrity and availability of data such as financial transactions, medical records and personal information.
At the same time, today's vulnerability research and attack methods are also becoming more sophisticated, often penetrating past the software layers and compromising the underlying hardware. When not implemented or verified properly, hardware-based security can have its own set of challenges. It is evident that the industry needs a comprehensive understanding of the common hardware security weaknesses and the corresponding secure-by-design best practices, so as to help protect sensitive data that users generate and consume each day.
A key resource for tracking software vulnerabilities today exists in MITRE's Common Weakness Enumeration (CWE) system, which is complemented by the Common Vulnerabilities and Exposures (CVE) system. A simple way to differentiate the two is that CWE includes a taxonomy of common security weakness types and provides different views for a user to traverse different categorical buckets. Whereas the CVE maintains a collection of specific vulnerability instances that have already been found and reported publicly. CWE groups similar CVEs together to facilitate research and analysis.
Essentially, the two systems work hand-in-hand to provide the ultimate vulnerability reference guide. These resources aim to educate architects and developers to identify potential mistakes when designing and developing software products. At the same time, they enable security researchers and tool vendors to pinpoint current gaps, so better tools and methodologies can be offered to automate the detection of common software security issues. But what about hardware vulnerabilities?
Until recently, we have not had any kind of industry-scale, standardized catalogue that captures known hardware security weaknesses in one place. If we expect hardware vendors and their partners to collectively deliver robust security solutions, we need an up-to-date primer where hardware designers can stay current with time-tested best practices and avoid common security pitfalls. Without a common language, it becomes challenging for researchers and practitioners to contribute learnings, exchange information, and share techniques with one another.
As with any broad technological hurdle, it will take the industry working together to drive technological advancements that leapfrog hardware security assurance. Industry leaders have been collaborating with leading standards bodies to develop innovative capabilities and trusted foundations that can be leveraged by the industry. These efforts are gaining momentum.
In fact, a recent example is industry collaboration with MITRE on its brand new Hardware Design View that complements the existing software-oriented security weakness taxonomy with a hardware-oriented counterpart. With the most recent CWE 4.1 release, users are now exposed to almost 60 hardware weaknesses that are commonly overlooked by hardware designers, along with useful information that helps to identify and mitigate these weaknesses.
These are great first steps, but the journey is far from over. "It takes a village to raise a child." Likewise, it takes a community to develop an industry-scale resource. The research community and ecosystem partners across the industry, academia and government must join hands to contribute and build out this new resource. Keeping it comprehensive and up to date will be key to enabling this cumulative, standardized Hardware CWE to offer its many great benefits.
Product Architects and Hardware Designers will gain a deeper understanding of the common security pitfalls, allowing them to avoid making similar mistakes when creating solutions. Verification Engineers will be more fluent in common security mistakes and how they can be effectively detected at various stages of the product development lifecycle. This will enable them to devise proper verification plan and test strategies for improving the security robustness of products.
Additionally, Security Architects will focus their energy more efficiently on systemic issues and work to identify effective mitigations that help eliminate risks or make exploitation much more difficult for attackers.
An established, growing Hardware CWE will also allow Electronic Design Automation (EDA) Vendors to prioritize and expand their tool features and offerings, which will better enable hardware designers to avoid the introduction of common vulnerabilities. In addition, the comprehensive primer will provide data and insights for constructing proper benchmarks that enable Enterprises to objectively compare the capabilities of different EDA tool options, allowing them to identify the right ones that meet their specific needs.
Furthermore, Educators will draw learnings from the latest collection of common hardware weaknesses to develop training materials and secure-by-design best practices that focus on the most relevant areas of concern, so university curriculum and corporate trainings can help audiences gain the critical skills they need.
And finally, a more established public database of hardware issues will help Security Researchers to leverage a common taxonomy to communicate without ambiguities, facilitating learning exchange, systematic study and collaboration, while making the field more accessible for aspiring researchers.
Today, categorizing hardware vulnerabilities, understanding their root causes, and deriving mitigation strategies can feel like an endless battle. Creating a common taxonomy for discussing, documenting and sharing hardware security weaknesses has become paramount. As hardware vulnerabilities continue to get more complex and challenging to address, we must continue to invest in the research, tooling and resources needed to properly catalog and evaluate hardware vulnerabilities with the same urgency and scope we do for software threats.
MITRE's new Hardware CWE is a fantastic initial step upon which security researchers and the broader industry can build to enable practitioners to speak in the same language as they strive to deliver hardware solutions that are safe and secure for people to entrust with their data.
Industry News
Sonar announced zero-configuration, automatic analysis for programming languages C and C++ within SonarCloud.
DataStax announced a new JSON API for Astra DB – the database-as-a-service built on the open source Apache Cassandra® – delivering on one of the most highly requested user features, and providing a seamless experience for Javascript developers building AI applications.
Mirantis launched Lens AppIQ, available directly in Lens Desktop and as (Software as a Service) SaaS.
Buildkite announced the company has entered into a definitive agreement to acquire Packagecloud, a cloud-based software package management platform, in an all stock deal.
CrowdStrike has agreed to acquire Bionic, a provider of Application Security Posture Management (ASPM).
Perforce Software announces BlazeMeter's Test Data Pro, the latest addition to its continuous testing platform.
CloudBees announced a new cloud native DevSecOps platform that places platform engineers and developer experience front and center.
Akuity announced a new open source tool, Kargo, to implement change promotions across many application life cycle stages using GitOps principles.
Check Point® Software Technologies Ltd. announced that it has been recognized on Newsweek’s inaugural list of the World’s Most Trustworthy Companies 2023.
CloudBees announced significant performance and scalability breakthroughs for Jenkins® with new updates to its CloudBees Continuous Integration (CI) software.
JFrog unveiled new capabilities that set the standard for quality, security, MLOps and integrity of software releases.
Enea launched the Enea Qosmos Threat Detection SDK.
Check Point® Software Technologies Ltd. announced the completion of its acquisition of Perimeter 81, a pioneering Security Service Edge (SSE) company, with a team of over 200 employees that serves more than 3,000 customers worldwide.