How to Use IoT Security Best Practices at Every Level

November 16, 2016

IoT security is not something added to a device, like an exterior casing, but must be an integral part of it – designed from the very beginning. A secure, connected product is an essential part of the IoT’s basic function.

So it is imperative that security must be part of the product development lifecycle at every phase.

Use a development framework

Fortunately, there are several robust, tested development frameworks that can be used to guide the process, like using a secure Software Development Lifecycle (SDL) coding practice. Several of these frameworks exist, including Open Web Application Security Project’s (OWASP’s) Open Software Assurance Maturity Model (OpenSAMM), Microsoft’s Security Development Lifecycle (MSDL), and Cigital Software Security Touchpoints.

The urge to shorten product lifecycles to speed time-to-market will always be present. The consequences of shipping a product with a possible security vulnerability should always be present in mind. Patches, recalls, and bad publicity have a way of reducing first-to-market advantages.

Aside from baking security into the design, SDLs also lower development costs since late changes to add changes after deployment have a way of dramatically adding unanticipated costs.

Be conscious of IoT’s other security vulnerabilities

IoT devices have several other specific issues that make this kind of application security even more important. One, they will be out in the field for a long period of time. How often does someone replace an industrial generator or a machine tool? Upgrade and patch processes must be well-established.

Second, IoT deployment is a team sport. As a result, vendors also must follow a standard development model so that the components are equally secure.

Ensuring security at every level

You can think of this as “fractal security”: there is no one level at which security resides. No matter where you look, security should be part of the design.

The openSAMM model, for example, sees four business functions in application security:

  • Governance: How have you built security concerns into the way your company works?
  • Construction: Is security a part of every application?
  • Verification: What procedures will you use to test each application for vulnerabilities?
  • Deployment: How will you securely produce your application and get it out into use?

Any new IoT device includes many tempting attack surfaces for hackers. The complexity is such that you absolutely need a robust development process. After all, it only takes one vulnerability to take down your system.

Security: resolutely unsexy, absolutely essential

The more IoT devices get deployed, the greater the latent security problems will be. The key there is “latent”. There may be some time where breaches are small, low-publicity, or localized: an automobile starter motor here, a home surveillance device there.  Companies will scramble to contain the problem, and its attendant publicity.

But what’s on the horizon is a global security vulnerability. The breadth of the recalls will be unprecedented. Companies with a transparent, articulate, and easily verified secure SDL will weather the storm and prosper. Those without one may well fail.

 

Learn more about IoT security