No doubt precaution is always better than healing. Not just where our biological immune system is concerned, but also when our IT equipment becomes the target of devious attacks from “cyberspace”. In that case, strong, seamless cyber-immunity “from the bottom up” is just as essential. All the more so when – as in the case of Commend’s security-critical systems – it’s not just financial and material assets that are at stake, but potentially even human lives.
It is for this reason that Commend’s engineers have for a long time been investing a lot of effort, budget resources and high-profile research partnerships in implementing the principle of “Privacy and Security by Design” as the standard for developing Cloud-native “Symphony” products. As a result, the products come with IT security embedded firmly in their technical genes from the earliest stages of development.
Better protection through early detection
To ensure a sustainably high level of protection, Commend’s software engineers and product experts maintain intense collaborations with high-profile research partners such as Vienna-based SBA Research. A rising star in its field, the renowned data technology think tank was actually born and bred at the Technical University of Vienna.
As part of an overarching research project these partnerships are sponsored by the Austrian Research Promotion Agency (FFG). Together with SBA Research, Commend have now concluded yet another crucial project phase. The joint team of experts had been focusing on the security-critical aspects of Commend’s software development since March 2022.
Their key objective was centered around the ability to run rigorous systematic security analyses and tests already at the very earliest stages of product and software module design.
“It’s a crucial ability to have as a developer of Cloud-native solutions such as our Symphony platform,” as Commend’s project leader, Klaus Hirschegger, explains. “Working with SBA Research has allowed us to implement methods for checking individual parts of our software for potential risks at extremely early stages of the coding process. This way, we can make appropriate changes and take the necessary precautions before taking the applications to the next stage. In technical terms this is referred to as a ‘shift-left approach’ to software development. This means that security tests are no longer performed at the end of the development phase, as used to be the case until not long ago. Instead, these tests are run at critical junctures throughout the entire development process. It’s an efficient way to prevent security vulnerabilities in the finished product.” At Commend, these efforts are all bundled under the overarching term, “Privacy and Security by Design”.
All this is made possible by leveraging latest research from areas such as mathematical modelling and security testing, as provided by the MATRIS Research Group. “I’m always fascinated to see how research and methods from international cooperations find their way into practical products and services. Especially complex industrial systems and processes profit hugely from these kinds of synergies,” says SBA’s project leader, Reinhard Kugler. “It’s knowledge from all kinds of different fields such as security testing, machine learning or threat modelling that provide the necessary basis. They all combine to enable security assessments and tests during the concept and design phase even before even a single line of code is written. Best of all, this allows the software engineer to track data flows back to the very code lines that generate them.”
The result: Quality by research
“It’s been a highly successful and extremely interesting project. It has checked all the right boxes in terms of content, focus and preparation,” says Kugler. “A special highlight for us was our techno-savvy exchange of ideas during our workshops.”
All product aspects and production areas were checked and rechecked for potential attack surfaces. At the same time, the system architecture of the Symphony platform was investigated with a view to cyber-security best practices. Along the way it had to undergo a series of hard-hitting hacking attacks during frequent rounds of pen testing.
Passing its test regimen with flying colors, Symphony was finally declared to be “highly robust!” by the experts. As Kugler, himself a passionate pen tester, confirms, “Symphony’s immune system had no difficulties fending off the attacks.“ Michael Thalhammer, Head of R&D at Commend International, is also more than happy with the results. “The research partnership has really proved its worth,” he says.
“It allows us to maintain a comprehensive level of quality assurance that extends across the entire Commend ecosystem with all its systems. We’re extremely happy and highly satisfied with the results. Obviously,” he adds, “there’s no such thing as 100% perfect cyber-protection. But thanks to latest research that helps us put ‘Privacy and Security by Design’ into practice, our customers can rest assured that we’re getting pretty close.”