On the Predix Platform, it’s essential that developers are well-versed on the most common cyber vulnerabilities and potential attack surfaces as well as how to prevent or shut them down during the requirements gathering and architecture/design phases of development. For example, developers should understand how to minimize the number of high-consequence targets by applying the principle of least privilege; separation of privileges, duties, and roles; and separation of domains.
From coding/implementation perspectives, the platform requires that all products go through rigorous defensive and offensive security tests to identify and remediate vulnerabilities prior to production deployment. GE Digital uses leading-edge testing tools and best-of-breed ethical hackers to evaluate and ensure that no security vulnerabilities have been overlooked—as well as to reassure customers and partners that our products are embedded with the utmost, pervasive security protection.
All developers on the Predix Platform are required to follow GE’s Secure Development Lifecycle (SDL) best practices at every layer—including infrastructure, platform, data, and application services—with the goal of reducing risk exposure for the platform and its ecosystem of products and services. Comprised of tracks for training, secure design and architecture, threat modeling, and security scans and penetration testing, the SDL framework establishes a set of requirements and guidelines to ensure security is built in—not bolted on—to Predix products, applications, and services. More specifically, the tracks include:
- Developer Security Training. Ongoing courses are provided to developers to improve their understanding of techniques for identifying and mitigating security vulnerabilities. Training focuses on topics like threat modeling, DAST testing, and coding techniques to prevent common defects such as SQL injection.
- Design/Architecture Review. A collaborative effort between the ISV customer development/engineering teams and their own product security group to assess and develop application or service design patterns that mitigate risk to the platform and associated applications and services.
- Threat Modeling. A structured approach for analyzing the security of an application, with special consideration for boundaries between logical system components that often communicate across one or more networks.
- Security User Stories/Security Requirements. A description of functional and non-functional attributes of a software product and its environment that must be in place to prevent security vulnerabilities.
- Automated Dynamic Application Security Testing (DAST). A process of testing an application or software product in an operating state, implemented by a Web application security scanner.
- Automated Static Application Security Testing (SAST). A process of testing an application or software product in a non-operating state, analyzing the source code for common security vulnerabilities.
- Open Source Software (OSS) Vulnerability Testing. A process of testing to identify open source in the product code base, map known vulnerabilities, and recommend remediation for detected vulnerabilities.
- Red Team Penetration Testing. Hands-on security testing of a runtime system to uncover more complex security flaws potentially missed by DAST or SAST tools.
The Predix Platform allows developers to design, deploy, validate, and market products to a large ecosystem of industrial partners. They’re not only partnering with GE, they’re becoming a member of an extended community of developers and industrial specialists that include other technology companies, academia, consultants, and systems integrators. It’s a place where developers can build trusted, meaningful apps faster, and where everyone can flourish under a common goal.