How to cyber security: 5G is not magic

By : Jonathan Knudsen, Senior Security Strategist, Synopsys Software Integrity Group | Thursday, April 29 2021 - 00:30 IWST

5G networking
5G networking

INDUSTRY.co.id - Some wild claims have been made about 5G networking. I’ve heard mention of self-healing factories and smart highway systems.

While such things might be possible, there’s nothing magical about 5G. In essence, it’s just faster wireless networking than we’ve had before. That’s nice, but hardly revolutionary.

About networking

Networking is hard — it’s one of those subjects that has too much information available rather than too little.

The networking world has so many protocols, so many options, and so many configurations that finding the information you want can be hard, especially for beginners.

Many introductions to networking start with the OSI seven-layer model, which you can find on Wikipedia.

This is a comforting model for instructors, who can give quizzes on the names and functions of the different layers. And it’s a comforting model for students, because it clearly lays out a small, manageable body of information that can be internalised.

Unfortunately, it doesn’t correspond very well to how things actually work.

For most network interactions, it’s impossible to identify all seven layers, and some protocols defy categorisation.

If you must learn about seven layers, learn about this:

The concept of layers is useful

Although the specific seven layers of the OSI model aren’t tethered to reality, the concept of layers is useful. Each layer supports the layer above it. 

Another useful analogy is nesting dolls or envelopes within envelopes. If I want to send some information to the far side of the internet, I’ll put it in an IP packet addressed to the destination.

Then I’ll wrap that up in an Ethernet frame with my gateway as the destination. Then I’ll drop that on the wire. The gateway picks it up and repackages it for the next hop in the cloud.

IP networking has a somewhat simplified set of layers, but again, it’s not a perfect model.

Protocols like ARP and TLS don’t fit neatly into the model. The main thing to remember is that protocols always happen in layers, and typically different pieces of software are responsible for each layer.

Some layers are interchangeable

One of the best things about network layers is that it’s possible to change out layers without reprogramming everything in the world.

For example, the applications on your smartphone live in a world of IP networking, blissfully unaware of whether the IP traffic is carried over a Wi-Fi network or a cellular network.

Your laptop is happy to use IP networking regardless of whether it travels over Wi-Fi or a wired Ethernet connection.
From that standpoint, then, 5G will hardly make a difference for many applications.

Desktop or mobile applications that communicate over IP probably won’t even notice the difference. Is my device on a 4G connection? Wi-Fi? 5G? Does it matter?

Some applications will need the increased speed and capacity of 5G networks, but these will be outliers until the technology is more widely deployed and used.

How software security and networks intersect

Network protocols are sets of rules about how computers talk to each other. For example, the HTTP protocol lets browsers and web servers talk to each other to serve web pages to users.

In software security, network protocols are an important part of the attack surface of an application. The attack surface is the collection of all the places where the application takes input, each of which is an attack vector.

One of the fundamental problems of security is correctly handling input, so mapping out the attack surface and testing it properly is critically important.

Because network protocols happen in layers, some of the networking code is probably code that you didn’t write.

For example, let’s say you’ve written a web application. Users (and attackers) provide input to your application using a web browser, so the full protocol stack for the deployed web application includes HTTP, probably TLS, TCP, and IP.

The code you wrote yourself handles only the application data. The other layers are handled by third-party code, probably open source components, as outlined here.

It’s 2021: “That’s not our code” will not cut it

It’s often tempting to abdicate responsibility for third-party code, but such an approach is unwise. What if an airplane manufacturer didn’t take responsibility for the parts it buys from vendors?

A comprehensive approach to application security means managing the open source and third-party components you use to build and deploy your application.

Software composition analysis (SCA) solutions automate much of the work of discovering which components you’re using and identifying the known vulnerabilities and license obligations that come along with those components.

In terms of testing the attack surface of your application, protocol fuzzing is time-proven technique for locating vulnerabilities by supplying malformed and unexpected inputs. It’s especially important to fuzz all layers as dictated by your application policy.

If you’re designing a web application for sharing cat pictures, you might decide that you have sufficient confidence in the Linux kernel, the openssl project, and the Apache web server that you don’t need to perform your own fuzz testing on them.

If you’re designing a web application for protecting nuclear launch codes, you need a much higher level of assurance and will almost certainly want to perform your own fuzzing on all layers of the network protocol stack.

Secure your network with application security testing

A comprehensive approach to security is vital to every phase of application development. Automated application security testing (AST) helps development teams locate and eliminate weaknesses.

The exact mix of testing tools depends on the type of application and the technologies involved, but it usually includes some collection of static application security testing (SAST), SCA, interactive application security testing (IAST), fuzzing, and other dynamic testing.

The key is not blindly running tools, but making informed choice based on risk and policy. You have to decide how much protection your application needs (by making a policy), and then choose tools and integrate them into your development process to achieve the desired reduction in risk.

News Comment

Today's Industry

PT Autopedia Sukses Lestari Tbk (ASLC)

Rabu, 25 Januari 2023 - 09:30 WIB

ASLC Successfully Surpasses 2022 Used Car Sales Target via Caroline.id

PT Autopedia Sukses Lestari Tbk (ASLC), a company engaged in used vehicles auction and trading of used cars, succeeded in selling 2,481 units of used cars through used car dealers under its…

A woman is paying her attention to the Jakarta Composite Index board movement. (Document of INDUSTRY.co.id)

Kamis, 05 Januari 2023 - 22:29 WIB

New Economic Board, GOTO Share Moves Closer to Global Indices

The presence of the New Economic Board on the Indonesia Stock Exchange (IDX) brings many benefits to PT GoTo Gojek Tokopedia Tbk (GOTO). One of them is getting closer to the shares listing of…

PT Alkindo Naratama Tbk (“ALDO”)

Senin, 19 Desember 2022 - 23:51 WIB

ALDO Aims 2023 Sales to Increase More Than Double

PT Alkindo Naratama Tbk (“ALDO”), a listed company engaged in the integrated paper and chemical business are optimistic that the Company's performance in 2023 will improve, in line with…

Lauren Blasco of ACV.

Senin, 19 Desember 2022 - 22:39 WIB

Indonesian Chamber of Commerce and Industry taps AC Ventures’ ESG head to join task force

The Indonesian Chamber of Commerce and Industry (KADIN) recently tapped AC Ventures’ (ACV) Head of ESG Lauren Blasco to join its newly formed ESG task force, an elite group of stakeholders…

The CIP Utilities & Automated Reporting Analytics allows plant managers

Senin, 19 Desember 2022 - 21:50 WIB

Emerson’s New Analytics Software Automates Utilities Monitoring and Reporting for Clean-in-Place Applications

Emerson: Today Emerson announced the release of its new Clean In Place (CIP) Utilities and Automated Reporting Analytics package delivered via PACEdge™ and Movicon™ platforms on an industrial…