How to cyber security: 5G is not magic

By : Jonathan Knudsen, Senior Security Strategist, Synopsys Software Integrity Group | Thursday, April 29 2021 - 00:30 IWST

5G networking
5G networking

INDUSTRY.co.id - Some wild claims have been made about 5G networking. I’ve heard mention of self-healing factories and smart highway systems.

While such things might be possible, there’s nothing magical about 5G. In essence, it’s just faster wireless networking than we’ve had before. That’s nice, but hardly revolutionary.

About networking

Networking is hard — it’s one of those subjects that has too much information available rather than too little.

The networking world has so many protocols, so many options, and so many configurations that finding the information you want can be hard, especially for beginners.

Many introductions to networking start with the OSI seven-layer model, which you can find on Wikipedia.

This is a comforting model for instructors, who can give quizzes on the names and functions of the different layers. And it’s a comforting model for students, because it clearly lays out a small, manageable body of information that can be internalised.

Unfortunately, it doesn’t correspond very well to how things actually work.

For most network interactions, it’s impossible to identify all seven layers, and some protocols defy categorisation.

If you must learn about seven layers, learn about this:

The concept of layers is useful

Although the specific seven layers of the OSI model aren’t tethered to reality, the concept of layers is useful. Each layer supports the layer above it. 

Another useful analogy is nesting dolls or envelopes within envelopes. If I want to send some information to the far side of the internet, I’ll put it in an IP packet addressed to the destination.

Then I’ll wrap that up in an Ethernet frame with my gateway as the destination. Then I’ll drop that on the wire. The gateway picks it up and repackages it for the next hop in the cloud.

IP networking has a somewhat simplified set of layers, but again, it’s not a perfect model.

Protocols like ARP and TLS don’t fit neatly into the model. The main thing to remember is that protocols always happen in layers, and typically different pieces of software are responsible for each layer.

Some layers are interchangeable

One of the best things about network layers is that it’s possible to change out layers without reprogramming everything in the world.

For example, the applications on your smartphone live in a world of IP networking, blissfully unaware of whether the IP traffic is carried over a Wi-Fi network or a cellular network.

Your laptop is happy to use IP networking regardless of whether it travels over Wi-Fi or a wired Ethernet connection.
From that standpoint, then, 5G will hardly make a difference for many applications.

Desktop or mobile applications that communicate over IP probably won’t even notice the difference. Is my device on a 4G connection? Wi-Fi? 5G? Does it matter?

Some applications will need the increased speed and capacity of 5G networks, but these will be outliers until the technology is more widely deployed and used.

How software security and networks intersect

Network protocols are sets of rules about how computers talk to each other. For example, the HTTP protocol lets browsers and web servers talk to each other to serve web pages to users.

In software security, network protocols are an important part of the attack surface of an application. The attack surface is the collection of all the places where the application takes input, each of which is an attack vector.

One of the fundamental problems of security is correctly handling input, so mapping out the attack surface and testing it properly is critically important.

Because network protocols happen in layers, some of the networking code is probably code that you didn’t write.

For example, let’s say you’ve written a web application. Users (and attackers) provide input to your application using a web browser, so the full protocol stack for the deployed web application includes HTTP, probably TLS, TCP, and IP.

The code you wrote yourself handles only the application data. The other layers are handled by third-party code, probably open source components, as outlined here.

It’s 2021: “That’s not our code” will not cut it

It’s often tempting to abdicate responsibility for third-party code, but such an approach is unwise. What if an airplane manufacturer didn’t take responsibility for the parts it buys from vendors?

A comprehensive approach to application security means managing the open source and third-party components you use to build and deploy your application.

Software composition analysis (SCA) solutions automate much of the work of discovering which components you’re using and identifying the known vulnerabilities and license obligations that come along with those components.

In terms of testing the attack surface of your application, protocol fuzzing is time-proven technique for locating vulnerabilities by supplying malformed and unexpected inputs. It’s especially important to fuzz all layers as dictated by your application policy.

If you’re designing a web application for sharing cat pictures, you might decide that you have sufficient confidence in the Linux kernel, the openssl project, and the Apache web server that you don’t need to perform your own fuzz testing on them.

If you’re designing a web application for protecting nuclear launch codes, you need a much higher level of assurance and will almost certainly want to perform your own fuzzing on all layers of the network protocol stack.

Secure your network with application security testing

A comprehensive approach to security is vital to every phase of application development. Automated application security testing (AST) helps development teams locate and eliminate weaknesses.

The exact mix of testing tools depends on the type of application and the technologies involved, but it usually includes some collection of static application security testing (SAST), SCA, interactive application security testing (IAST), fuzzing, and other dynamic testing.

The key is not blindly running tools, but making informed choice based on risk and policy. You have to decide how much protection your application needs (by making a policy), and then choose tools and integrate them into your development process to achieve the desired reduction in risk.

News Comment

Today's Industry

Photo: Aris Nurjani/VOI

Rabu, 28 Februari 2024 - 12:47 WIB

Carsurin and NBRI Strengthen Strategic Alliance to Propel Indonesia’s EV Industry

PT Carsurin Tbk ("Carsurin") and the National Battery Research Institute ("NBRI") are pleased to announce the signing of a pivotal Strategic Alliance Agreement (SAA), marking a significant advancement…

Beras (Foto/Rizki Meirino)

Rabu, 21 Februari 2024 - 08:43 WIB

Gov’t to Continue Disbursing Rice Assistance

President Joko “Jokowi” Widodo has ensured that the Government will continue rolling out the rice assistance program for low-income families. The President made the statement when handing…

Ilustrasi pabrik beras. (Foto: DetikFood)

Rabu, 21 Februari 2024 - 08:40 WIB

Bapanas Head Ensures Availability of Rice Stock Ahead of Ramadan

The National Food Agency (Bapanas) has ensured the availability of rice for the fasting month of Ramadan and Eid al-Fitr 1445 Hijri/2024 CE. “We believe that there is enough rice for the fasting…

Receives Chairman of Jababeka (KIJA), Menpora Dito Ready to Support the Development of Sports SEZs

Rabu, 21 Februari 2024 - 08:23 WIB

Receives Chairman of Jababeka (KIJA), Menpora Dito Ready to Support the Development of Sports SEZs

Chairman of PT Jababeka Tbk (KIJA), Setyono Djuandi Darmono met the Minister of Youth and Sports of the Republic of Indonesia (Menpora RI) Dito Ariotedjo at the Kemenpora RI Office, Senayan,…

The Indonesian Embassy in Cairo Receives Aid for Palestine

Senin, 19 Februari 2024 - 17:39 WIB

The Indonesian Embassy in Cairo Receives Aid for Palestine

The Indonesian Embassy in Cairo welcomes the Radjiman Wedyodiningrat Warship (RJW-992) which arrived at the Al Arish Port, North Sinai Province of Egypt at 8.00 A.M. Cairo local time (13/02).…