Developers need to complement the massive increase in connectivity that 5G will bring to our digital lives with a renewed commitment to building in security at the outset. This was the appeal Samsung’s CIO and Executive Vice President of IT and Mobile Communications Terry Halvorsen made to those attending Samsung Developer Conference (SDC) 2019.
Speaking to the thousands who have gathered in San Jose to explore the latest platforms and tools to create mobile apps, Halvorsen took time during the opening keynote to reflect on his 37 years working in government entities, such as the U.S. Department of Defense. The struggle to ensure the security of the nation’s biggest and most critical networks, Halvorsen said, led him to learn about Samsung’s “best in class security model,” and ultimately join the company and help his peers address security amid the next wave of IT change.
With great connectivity comes great responsibility
While the arrival of 5G will enable the development of smart cities and factories and fulfill the promise of the internet of things (IoT), Halvorsen said it will also create additional points of vulnerability across networks.
“If we don’t address that, 5G will be just the fastest way for people to get in and get all of our data,” Halvorsen said. “We have to flip that around, and make security a key part of this and win the security battle.”
Evaluate Your Mobile Security Plan
Discover if you have the right mobile security plan for your business. Download Now
In practice, Halvorsen added, this may require developers and the organizations they work for to rethink the full life cycle of creating mobile apps and putting some priorities ahead of feature sets.
“You need to talk about [security] from the first moment that new software, that new hardware idea, enters your head,” he advised. “You have to start baking that security process in from the beginning. We need you all to be thinking that way.”
Why the shift demands greater security
Use cases around the IoT in particular have driven the conversation about improved data security in 5G networking, Samsung Electronics Principal Engineer Younsun Kim said during an SDC breakout session. Whereas 2G networks only focused on voice traffic, for instance, everything from 3G onward has had to layer in packet architectures that accommodate data, voice over IP and now sensor data.
“[The companies in the IoT ecosystem] did not want their data to be mixed with mobile broadband data,” he said. “They made it clear they wanted a separate slice.”
Although 5G provides that dedicated slice, the volume and complexity of traffic is only going to increase, Kim said. Video monitoring and industrial automation, for instance, will shift much of the demand for bandwidth, reliability and low latency of 5G to machine-to-machine communications, where an IT security incident could have devastating consequences.
Automating security intelligence
Even with the best of intentions, meanwhile, security threats and vulnerabilities are easy to miss, given the manual processes still employed to find them, warned Yong Ho Hwang, head of security Samsung Research’s 1Lab, during his session on coding with security in mind.
This usually involves obtaining a list of common vulnerabilities and exposures (CVE) from the National Vulnerability Database (NVD), finding the number of possible problems, finding the necessary patches across third-party sites and then releasing an application, Hwang explained.
The reality, however, is that developers need to double-check details about whatever open source software they’re using, whether they have the correct patch information and whether they can update their code without causing any performance issues.
This was what drove Samsung to develop its Automated Vulnerability Analysis System (AVAS), Hwang said, as well as a credential scanner and automated “fuzzer” that checks for bugs by introducing unexpected or random data. These tools can be coupled with the Samsung Security Management System (SSMS) that Samsung uses to manage the full life cycle of its own products.
A new channel to access Knox features
Of course, Samsung also offers the Knox platform, but until recently it has been difficult for IT departments to ensure access to the constant flow of new capabilities.
“There’s always challenges between what the customers want and what the partners can integrate with,” said Rajiv Kavuri, who works within Samsung Research’s security and services team. “Every time there’s a new integration, there’s a cost to support those APIs [application programming interfaces].”
Samsung is now addressing this issue with the Knox Service Plugin (KSP), which is available as an app on the Google Play Store. According to Kavuri, the KSP lets IT admins easily set up Knox policies, even if they’re not supported by their unified endpoint management’s (UEM) native console. Developers simply need to think about handling an OEMConfig schema that helps create a data-driven user interface design and a feedback channel that helps gather results and display them to IT admins, he said.
In the opening keynote, Samsung’s technical lead for the Knox framework, Seungyun Lee, also discussed how the Knox software development kit (SDK) will allow partners to strengthen the data security in their apps with dual data at rest (DualDAR). Developers and researchers are also honking their security skills at SDC through a “capture the flag” competition open to all within an area called Hacker’s Playground.
“It’s not enough for us to have Knox in our back pocket,” Lee said. “We want you, our partners, to build on it, too.”
Discover the ways Samsung’s business security solutions keep your business secure from the chip up. Learn how to securely optimize tablets for your unique organizational needs in this free white paper.