Diego Rivera is a senior developer at the Riscure True Code team. Three years ago, Diego joined Riscure’s software development team and has been working with them on our tools since then. In this interview, Diego discusses the differences between static and dynamic security testing approaches and talks about Riscure True Code and its development.
How did you join Riscure?
I was looking for a job in the Netherlands, and I was contacted by a recruiter. I looked further into what development is like at Riscure and it looked very interesting. So I went for it and now I’m here for a few years and counting. I have learned a lot and grown personally and professionally over the last few years.
What is Riscure like internally?
It’s like being at Woodstock for the amount of happiness that you can feel in the air. It has a sort of student vibe with everyone being ready to help and chat anytime. There are so many random discussions happening at the coffee machines and after work and I think it is really great to see, to be in this atmosphere, and generally to feel very alive.
At the same time, it is a group of very smart professionals doing serious work. You get challenged with work every day. Being challenged at work is something that brings excitement for me and keeps me going. And Riscure offers me that.
How do you define device security?
Let’s say, you have a smartwatch, which contains a lot of sensitive information, like your card as a payment method. If there were no security countermeasures implemented, anyone could build a directional antenna from a Pringles can and hack the device. For under $25. That’s where device security comes in. Because of different regulations and general consideration of companies, the device (both the chip and the software of it) have been tested and passed certain requirements before going to market. That is how you can feel safe about the security of your secrets on the devices you use. However, it is always important to remember that nothing is 100% secure. The further technology develops, the more opportunities for hackers appear. Device security needs to be continuously evaluated and brought up to date. That is why we often receive notifications on our phones and computers to update the software. The question with security is not whether it is possible to break the device, but how long it will take to do so. The longer it takes to break the device, the more secure it is considered.
What is the difference between software and hardware security?
It is quite simple. Hardware security relates to physical objects: a computer, a mouse, and a screen. But software is what drives those hardware pieces and brings them to life. For a computer, it is an operating system, for embedded devices – a firmware. Both hardware and software security needs to be considered for success. For software, it is needed not only to write a secure code but also to access how it interacts with hardware devices and how different processes work. Hardware and software, as well as their security, need to work in synergy. Hardware without firmware or embedded software is the same as a car without a driver – not usable.
What are the most common techniques in software security testing?
At Riscure we focus a lot on white hat hacking. It is when somebody that is trying to analyze the code or even break it in order to show that it is possible and advise on how the code can be protected against those security vulnerabilities. For such evaluations in software, there are two types of approaches: static and dynamic analysis. Static analysis is a manual assessment of the code for whether the proclamation is good in accordance with the requirements. This is what Riscure Services mainly focus on. Riscure tools, specifically True Code take it further with dynamic analysis. True Code is basically the software that will try different inputs on the code to see how it behaves in those situations. The same way the human would do it, but a lot faster.
Dynamic analysis is not something many companies do, which makes it exciting to work on the dynamic tool and help development teams analyze the resiliency of their code with the tool. It also keeps the job challenging and fun. We continuously improve True Code with novelties, like simulation, fuzzing, or or allowing the user to provide a software implementation for their proprietary hardware devices. All the changes we introduce make it an effective tool intended for embedded software developers, as it speeds up and simplifies their development process.
Who should consider using Riscure True Code’s dynamic testing?
It is relevant for both blue and red teams. Blue team is similar to what I do as a developer – we deliver functionality. Red teams are sort of bad guys here, as they try and break something in order to fix it after. Riscure True Code was originally intended for red teams, as it allows them to test many different scenarios faster than manually. Being a machine it also takes away some biases that humans inherently have, which may lead to finding vulnerabilities that a human wouldn’t. But at the same time, blue teams can use it to create new test cases that can actually run in the CI/CD pipeline. This way it becomes a tool that blue teams can integrate in their development process.
Are there limitations to dynamic analysis?
One limitation of any automatic testing versus manual is that you get many false positives. A machine may say that something is there, but it’s up to a human to assess it and see if it needs fixing. Automated tooling is not there to replace people, but to assist them. Therefore, any machine’s decision will need to be checked by a human in the near future. Some of course would want complete automation, but it is a great starting point. Analyzing 1000 findings from a tool is much easier and faster than assessing 300 000 lines of code manually. That is a really big improvement.
What latest developments are you seeing in the industry?
Most of the changes that are coming to the industry lately are driven by regulations. For example, in the automotive market, it will soon be a requirement to go through the certification process and test the software and hardware for security, which in the end is great for the user. It brings more confidence in the safety and security of using the car every day and minimizes the chances of the hacker hijacking it.
I also see more and more AI and machine learning appearing. This also opens the path to driverless and self-driving cars. I remember learning to drive when you had to do everything on your own, maybe even parking sensors were not there yet. While it seems a bit scary to trust cars this much, it can also be an amazing tool. And with certifications and requirements coming in place, the technology can indeed be trusted more and more. After all, I’ll trust the decision of the person more than of the computer. So having regulations in place help keep new innovations under control.