Secure software is the first step to IoT security. To avoid hackers becoming easy targets, learn how to embed security in your SDLC.
We’re celebrating 2021’s National Cybersecurity Awareness Month by focusing on the future and connected devices.
Some things about the future are easy to predict.
There will be many more devices, billions more. Experts have been saying for years that the Internet of Things (IoT), is quickly becoming the Internet of Everything (IoE), as everything becomes a computer. This includes your thermostat, stove, refrigerator and washer/dryer, vehicle, door locks, and even lawn mowers.
IoT’s growth
In fact, the number connected devices has increased exponentially in the last three years, going from around 7 billion to over 30 billion. This growth is not slowing.
It’s even more difficult to predict what this will mean for society. It could lead to a dystopian future if the current state of security and privacy for connected devices continues. The “smart” devices that are supposedly smart will have vulnerabilities that hackers can exploit to steal credentials, identity and threaten users’ physical safety. Big Tech will increase the surveillance tracker capabilities of smartphones by increasing data collection.
Stronger IoT security
It doesn’t have be this way. This could lead to a world in which all the devices are powered by software with privacy and security controls. It could be programmed to provide updates and patches in the event of vulnerabilities being discovered or threats evolving.
Although it won’t make IoT devices immune to attack, it might make them more resilient. Better software security could make cars safer by incorporating seatbelts and airbags as well as antilock brakes, lane assistance, and other safety features. These safety features don’t prevent accidents. However, they can help drivers avoid them and provide more protection if they do occur.
It’s possible. There are tools, technology and methods that can make software running on connected devices more secure and resilient. They aren’t being used as often as they should.
It has been widely reported that users do not care about security. Users are focused on features and the price of their devices. Security is not a priority. It’s not yet a competitive advantage for consumers. Manufacturers give consumers what they want, cool features and a great price, without worrying about IoT security.
Tim Mackey, senior security strategist at the Ecomservicessummit Cybersecurity Research Center (CyRC), stated that another reason recent connected devices are insecure was their longevity, which is longer than apps, laptops and smartphones, which can be updated or replaced in a matter of months to a few years.
He said that major appliances such as stoves, refrigerators and dishwashers have a 10-plus year lifespan.
These devices are made by companies that have a lot of experience in hardware manufacturing, but not much knowledge about software security, particularly for the long-term. Mackey explained, “What does it mean that something was designed 10 years ago using the best practices but now must deal with today’s cyberthreats?”
Security: A paradigm shift
To make that reality a reality, it takes a paradigm shift. This is, however, difficult, but it is possible. To make the future IoT more secure, you need to integrate security into the software development cycle (SDLC).
SDLC is a well-known term for those who work in software companies. For those who are new to the world of connected devices, this tutorial will help.
Standard SDLC is made up of eight stages. They run from the initial spark in an entrepreneur’s eye to the ongoing maintenance and support of a product through its entire useful life. These stages are:
1. Plan
This stage involves defining the requirements and estimating the costs, scheduling and procurement requirements, as well as the staff required to complete it.
It should also contain a security component: Threat modelling. “Thinking like a hacker” is sometimes used to describe the ability to identify threats unique to your system or what your device or application is designed to do.
A good threat modeling involves highlighting assets, threat agents and controls in order to identify which components attackers most likely to target. Then, determining the best ways to mitigate those threats.
Threat modeling has many benefits, but the main benefit is its ability to save money and time. It is possible to catch potential flaws in code design early on, even before it is written. It is easier and cheaper to fix or avoid them earlier.
2. Code
It’s exactly what it sounds. Software code written to meet design requirements.
3. Construct
Modern software is not simply written by one developer. It’s assembled. It’s assembled. Some components are proprietary. Others are commercially available or open-source.
4. Try it!
This stage is no longer an isolated one where security teams probe software for vulnerabilities at end of SDLC. It must be widespread, starting with threat modeling before any coding begins and continuing through production. Multiple testing tools are required, including dynamic, interactive, and static testing during development and software composition analysis (SCA), to identify vulnerabilities and licensing conflicts using open-source code. Before the software can be deployed, it requires penetration testing. More information on this below.
Intelligent Orchestration is a solution that can manage all AppSec analysis tools, without slowing down development. It triggers the appropriate security tests by using the pre-defined risk policies that each organization has set. This information is delivered to security teams and developers to ensure compliance with all policies.
5. Release
This stage involves the packaging, management, and deployment of releases across various environments.
6. Install
The software is now available for production.
7. Operate
The software is used in the production environment.
8. Monitor
This team monitors the software’s performance and analyzes bugs or other errors. This stage is where updates and patches are distributed to users in order to fix vulnerabilities or respond to threats.
It is important to remember that an efficient SDLC should not end with the shipment of a product. It should continue throughout the product’s life. While “building security into” software during development can minimize bugs and other defects it is not perfect. Maintaining IoT devices is how you secure them.
Evolution of the SDLC
Understanding the SDLC’s evolution is another key component to security. Software development is more efficient today than it was a few years back. This is the digital equivalent of moving from horse-and-cart era into a superhighway with modern vehicles.
To keep pace with agile delivery methods and DevOps , security must be automated in both development and testing.
This is a trend that the Building Security In Maturity Model, (BSIMM) has noted. It’s a free annual report from Ecomservicessummit which tracks software security initiatives (SSIs), of organizations across different verticals. BSIMM12 provided an in-depth analysis on the SSIs for 128 organizations.
According to the report, security teams have been lending their expertise, staff and resources to DevOps teams in order to ensure that software delivery is secure. BSIMM12 observed that security testing in QA automation has doubled in the last two years. This is a move many organizations made to collect data and improve their SDLC and governance processes.
eLearning for developers
Security cannot keep up with the pace of technological advancements without automation. The show must still be run by humans, so to speak.
To build secure software at current speeds of development, developers must have not only the tools but also the training they require. A good eLearning program will provide this training.
Ecomservicessummit eLearning provides:
- Broad coverage of security concepts fundamentals
- Case studies from the real world
- Material and lessons that are relevant to the security issues in the code.
- Developers can learn quick lessons that won’t slow them down, and allow them to get back to coding
- Developers can take on-demand courses so they can learn when it makes sense to them and when it is convenient for their schedules
Guidance is also offered by the eLearning platform. If one of our software analysis tools detects a defect it will recommend the appropriate course.
Developers are more likely write more secure code, and to do it quicker with this kind of support.
Testing for penetration
Finally, penetration test uses a variety testing tools and manual tests in order to identify and eliminate business-critical vulnerabilities when running web apps and web services.
It’s a last chance to fix critical vulnerabilities before they are exposed to the wider world. Malicious attackers will then be searching for ways to exploit them.
It’s better for white-hat hackers to find flaws before black hats.
Ecomservicessummit offers pen testing at two levels, depending on the risk profile for each application.
This level is comprised of manual and automated testing. This level focuses on exploratory risks analysis (e.g. complex authentication, anti-automation).
The basic level includes essential service and testing time and effort. This covers attacks that are not on a predefined list, or those that might not have been considered otherwise (e.g. business logic data validation and integrity check). The standard level includes a manual review to find false positives, and a call to explain the findings.
IoT security is not perfect
We already mentioned that it is impossible to create perfect software. It’s not logical to try as that would most likely lead to never releasing software.
It is possible to avoid falling for low-hanging fruits by using an effective SSI, an SDLC, and software that embeds security throughout the process. Attackers are always looking for easy targets. They will likely move on if your apps, services, or networks are complicated.