Tag: Security
How to Navigate the Complex Landscape of Software and Technology Export Controls
The early 2020s were marked by turbulence, and the resulting economic sanctions have profoundly impacted exporting companies around the world. At the same time, groundbreaking advancements in digital infrastructure, such as generative AI and intelligent automation, have sparked debates about regulations governing software and technology export controls in leading nations. These discussions aim to protect competitive advantages and shield nations from emerging threats such as advanced cybercrime and electronic surveillance by foreign entities. As a result, export control restrictions are becoming increasingly complex. I have taken up this topic to help the company that I work for to make sense of these complex regulatory issues. Challenge: Understanding the Regulatory Framework Given the lack of maturity in multilateral processes and national regulations, companies in the software and technology sectors must proactively prepare for new restrictions and controls. Non-compliance with foreign trade laws can lead to legal, financial, and reputational risks. Moreover, macroeconomic trends, including the global economic shift and rising protectionism, will continue to impact organizations involved in export activities. Ignoring exports, that are intangible in nature, is no longer an option. What the technology industry should have learned from the unprecedented economic sanctions of 2022 and the uncertainties surrounding global treaties is that proactive trade compliance is essential. Master´s Thesis Offers an Approach My Master’s thesis offers a thorough review of existing knowledge on software technology export controls, regulatory frameworks, and best practices in both the United States (US) and the European Union (EU). This information has been synthesized into a conceptual framework to help co-create an export compliance framework tailored to software offerings. The goal is to mitigate the risk of non-compliance within the sponsor organization and to clarify the roles and responsibilities of stakeholders in the export compliance process. This process involves business conduct due diligence and adherence to export control regulations, which typically cover four main categories: product controls, end-user controls, export destination controls and controls on the actual end-use. The Wassenaar Arrangement serves as the umbrella for export control regulations. It is a multilateral, non-binding international forum that facilitates the exchange of views and information on international trade in conventional arms and dual-use goods and technologies. The EU and the US have integrated the Wassenaar Arrangement control lists into their legislative frameworks and operational practices. The US has more comprehensive legislation regarding software product-related controls, while the EU has delegated most software-specific regulations to its member states. Key Considerations in Software Technology When it comes to software technology classification, important aspects include encryption features and the functionality of software embedded in dual-use classified end products. The US also monitors the re-export of US-made technology in exports outside its borders. Therefore, all software product development should consider both US and EU legislation when working in international markets. A common element across the Wassenaar Arrangement, the US, and the EU concerning software and technology is the inclusion of information security within their respective national regulations. Solution: A Tool for Export Compliance Drawing from the information security domain, a tool for further content analysis was selected; the People, Process, and Technology framework introduced by Information Security and Privacy expert Bruce Schneier in 1999. This framework became a foundational concept in cybersecurity, emphasizing that when one element changes, the other two must also adapt to maintain a balanced and effective response to change. Schneier (2013) stressed that security should not solely rely on technology but should also incorporate people and processes into a comprehensive security system. The same principle applies to the export compliance landscape. To prevent confusion regarding Technology terminology in export control regulations, the Technology element was modified in the thesis to represent the actual end product, transforming the framework into the People, Process, and Product (PPP) matrix. During the co-creation process with stakeholders, the PPP elements were evaluated through the four categories of export control. Identified findings and related regulatory aspects were consolidated into a matrix, with each cell color-coded to identify the responsible entity. This matrix was designed as a tool to assist in risk mitigation within the export compliance process for software offerings at the sponsor organization. It aims to verify and monitor software exports and clarify the roles and responsibilities of different stakeholders. Preparing for the Future To thrive, businesses must accelerate innovation, enhance risk management, and meet increasingly demanding expectations. Effectively designing and managing their people, processes, and product controls during times of change can provide the necessary insight and understanding to achieve these goals. Consequently, companies engaged in the software and technology business should proactively prepare to adopt new restrictions and controls as they are introduced. By doing so, they can navigate the complex landscape of export controls and ensure compliance in an ever-evolving global market. About the author Aino Herranen is a graduate of Master´s degree program in Business Informatics. Aino has a keen interest in technologies and export compliance, and has selected this area for doing her Master´s thesis. References: Herranen, Aino. 2024. Building an Export Compliance Framework: Intangible Technology Transfer – Software offerings. Metropolia University of Applied Sciences. Master’s Thesis. https://www.theseus.fi/handle/10024/856483 Schneier, Bruce. 2013. "People, Process, and Technology". Blog. Pulished 30/01/2013. https://www.schneier.com/blog/archives/2013/01/people_process.html This document benefited from the use of OpenAI's ChatGPT for grammar and style checks.
Integrating Security into Continuous Delivery
Adopting a DevOps strategy for software development aims to significantly increase the speed of software delivery process by working in small batches and ensuring software is always releasable. This way of working is often called Continuous Delivery. However, the increased speed in software delivery creates challenges for existing security processes and practices. To ensure security concerns are identified before the software is released, security must be integrated into the Continuous Delivery process. This was the topic of my Master’s thesis that has just been completed as part of Metropolia Master´s studies. When working as a consultant helping organizations with all things around DevOps and Continuous Delivery, I have noticed that security is still often not integrated into the process as well as it could. For sure, most professionals try to think of security while implementing new features and automation. Yet, often I think we tell ourselves that there should be security experts in the organization that will be ultimately responsible for the security of the solution. Here, I can take myself as an example. Although I have discovered many great open-source security tools that could be used at various stages of the software development and delivery process, rarely did I feel like I have the time and mandate to take them into real use in projects. This is a mindset which, I think, should be changed; everyone who contributes to the software delivery should be responsible for security. Realizing it as a problem, I turned this challenge into a Master’s Thesis topic when I started my studies at Metropolia. According to my initial idea, integrating the available open-source security tools into the Continuous Delivery processes would provide a fast feedback loop on security threats and vulnerabilities that developers might accidently introduce while working on projects (Vainio 2023). This is what the Master´s thesis finally achieved. What is Continuous Delivery? In my experience, a successful DevOps strategy for software delivery revolves around the concept of Continuous Delivery which was popularized by David Farley and Jez Humble in their 2010 book called “Continuous Delivery”. (Farley & Humble 2010) More technical readers will know that continuous Delivery extends the earlier coined Continuous Integration concept and takes it to its logical conclusion: every change to the software should be followed by multiple stages of automated testing to verify that the software is releasable; and if the testing fails, everyone must work together to either rollback the change or fix the issue. These stages are arranged into what is called the deployment pipeline. It is easiest to understand the concept with help a diagram such as the one below: Figure 1. Example of a Deployment Pipeline (Vainio 2023, picture modified from Farley & Humble 2010). The deployment pipeline in Figure 1 is triggered by a change to the software’s code base and is then followed by multiple stages of testing. Finally, if tests are successful, the software should reach a releasable state. Given that the team is already working with a deployment pipeline, it presents an opportunity to integrate automated security tests into this process. Integrating Security Since Continuous Delivery aims for software that is always releasable, this means that the security posture of the software and the related deployment infrastructure must also be in a secure, releasable state. It might seem obvious by now, but the below diagram shows how security tests can be bolted onto the deployment pipeline: Figure 2. Example of an Enhanced Deployment Pipeline (Vainio 2023). As seen in Figure 2 above, security tests fit right into the deployment pipeline. Ideally, the security tests are run in parallel to the existing tests. This is the desired implementation that aims for security tests that don’t slow down the pipeline execution and thus the delivery process. It seems obvious that security should be one of the characteristics of the software that is tested during the deployment pipeline. But as often happens, this simple idea can be tricky to implement in practice unless you are a security expert, and that’s why I wanted to study and discover the practical ways for anyone working on the delivery process to find effective ways to integrate security tests into the process. My Master’s Thesis describes a security framework based on these core ideas. Following the thesis, in my company we have internalized this approach and developed additional practical examples and information around the security tools and practices. It is still very early days for the full-scale adoption of the framework, but we have started the journey to fully embrace the idea that security has to be an integral part of everything that we deliver. References Farley, D. & Humble, J. (2010). Continuous Delivery. Reliable Software Releases Through Build, Test and Deployment Automation. Boston: Pearson Education, Inc Vainio, M. (2023). Practical Framework for Continuous Delivery: Master´s Thesis. Metropolia UAS. 77 pages. https://www.theseus.fi/handle/10024/810697 About the author Mike Vainio is a double alumnus of Metropolia University of Applied Sciences. He first graduated as an Engineer of Information and Communication technology (Bachelor, 2014) and then graduated as a Master in Business Informatics in December 2023. Among other professional topics, Mike has a keen interest in security in software development.
The editorial team will provide the content of the Masterminds blog before publication.
The editorial team started its work at the beginning of 2022.
Pia Koirikivi, chief editor in Masterminds blog, Pedagogical Specialist
Minna Kaihovirta, Manager of Dialog
Iira Lankinen, Principal Lecturer
Riikka Wallin, Publications Specialist
Zinaida Grabovskaia, Senior Lecturer
Salla Kivelä, Principal Lecturer
Ai technology Business Informatics Master’s Program circular economy continuous delivery Corporate Social Responsibility CRASH cultural well-being Demand Forecasting digital transformation electric car engineering ethichs IPR Machine Learning Master's Degree in Procurement Master's Thesis Master Degree Programme in Business Informatics Masters programme master student Master studies master thesis Master’s Programme in Creativity and Arts in Social and Health Fields Metropolia Business School online studies patent management remote studies Reshoring ride-sharing Security software student experience study abroad Study exchange study trip Supply Planning Sustainability technology
