Video game security risks are on the rise. Building security into your software development life cycle can help protect your reputation and customers.
You’re supposed to have fun and relax when you’re playing video games—maybe with a bit of self-generated competitive stress.
What you’re not supposed to do is have to worry about a hacker stealing your personal and financial information.
But that’s the risk of doing anything online, which means it’s a risk to the 244 million (and growing) video gamers in the U.S. who have made gaming into an estimated $64 billion industry in the U.S. alone. Thanks in part to the ongoing pandemic, the industry is raking in almost $180 billion worldwide, making it bigger than the global movie and North American sports industries combined.
Those numbers are great for the companies making and selling the most-popular games. And it’s great for gamers, who are relieving some of the boredom of isolation. But it’s also a vast and growing attack surface—making it great for hackers but bad for both game creators and players.
And it means if those creating the games are more focused on getting the next big thing out the door than making sure they built rigorous security and quality into their products, they’re risking not just the security and loyalty of their customers, but their own bottom line as well.
The most recent cautionary tale is “Cyberpunk 2077,” hyped as one of the biggest games of 2020 and featuring a Hollywood-level rollout in December with movie superstar Keanu Reeves. But it wasn’t even close to ready for prime time.
It still sold, and sold well—an estimated 13 million copies from Dec. 10 to Dec. 20, with the game’s maker, Warsaw-based CD Projekt Red, telling investors it had covered its development and marketing costs from 8 million preorders.
But the game was so buggy that Sony removed it from its PlayStation Network, and PlayStation and Xbox, along with GameStop and Best Buy, all offered full refunds.
Simir Shah, regional sales manager with the Synopsys Software Integrity Group and a gamer himself, said the company clearly didn’t make quality and security a focus of the game’s development. Its software testing was, given the results, almost nonexistent.
“The quality issues were so bad because they didn’t run static analysis, they didn’t check the quality of the code, and they didn’t do enough QA overall on it. It was one of the biggest failures, and is now a punchline in the gaming industry,” he said.
And the stakes of such failures are higher now than they were 20 years ago.
“The economics have changed massively,” Shah said, noting that gamers have lots of options, don’t have long attention spans, and are not a patient lot. “If the gameplay sucks, the quality sucks, and it gets stuck, then people are going to leave your platform and go to something else. The quality of play is a big factor in keeping customers.”
And keeping customers is what determines success or failure. “The whole industry is measured by gameplay hours,” Shah said. “That’s how they can tell their game is succeeding—somebody’s playing it 100 hours a week or whatever. If they don’t have eyes on the game, they’re not spending more money on it. They’re not telling their friends about it. So the reputation suffers.”
Additionally, unlike 20 years ago, players can buy much more than the game. “I play a lot of “Call of Duty,” and today I can buy a gun and change it to whatever color I want,” Shah said. “I can buy skins [graphic or audio downloads that change the appearance of characters]. I can spend $500 on top of the $50 I spent on the game in a given year.”
Shah said he heard of a gamer who found a way to manipulate the code in “NBA 2K,” a game popular with basketball players. He was able to give one of his players a 100-foot arm so he could block a shot from anywhere on the court.
“That falls into quality of play,” he said.
It doesn’t have to be that way, of course. If companies are releasing games riddled with software bugs, it’s not because there’s any deep mystery about how to build secure software.
As any security expert will tell you, “building security in” throughout the software development life cycle (SDLC) requires multiple testing tools and processes that are all well-documented. It’s explained in reports like Synopsys’s annual “Building Security In Maturity Model” (BSIMM). The latest BSIMM tracks software security initiatives (SSIs) in 130 organizations, primarily in nine verticals.
And while SSIs are not all the same, most of them include static, dynamic, and interactive software security testing, along with software composition analysis (SCA) plus penetration testing, or “red teaming,” which mimics hackers to find weaknesses that remain before software products are deployed.
But the gaming industry is unique, according to Shah, in that “art and gaming evolve together. Treyarch, the studio that created ‘Call of Duty,’ consider themselves artists, not software developers.”
Because of that, the studios tend to let the developers run their own SDLC. “[Managers] try to enforce doing things like static analysis and security checks, but those studios run like a production studio. [Developers] bring in the tools they want—they’re allowed to operate independently of what would be a standard SDLC at a big corporation.”
So what’s the best way to convince studios that their art will be more enduring if it’s packaged with security and quality?
“We should start by telling them they don’t want to be the next ‘Cyberpunk’,” Shah said.
“The idea is to address security and quality early in the process. This is not something to address in the QA phase. When you’re planning and developing your initial architecture for the software, you need to build in what tools to use, whether they are manual or automated like static analysis.”
“[Developers] need to remember that the games hold a bunch of PII (personally identifiable information). Credit card information, home addresses—all that stuff’s in there,” he said.
Bottom line: If you want to succeed long-term in gaming, don’t play games with security.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.