As we all know, the number of the IoT devices is constantly increasing. According to the highest estimates, the number of the devices will exceed 50 billion by the end of the 2020. IoT devices are building a bridge between embedded systems and traditional IT systems. At the same time there has been an ongoing transition from on-premise IT infrastructures to cloud services. Where traditional embedded devices used to be closed systems, IoT devices are communicating to cloud backend, hybrid environments or with other IoT devices. This transition creates new challenges to secure devices and privacy of the users. As we all are users of some kind of IoT devices, one presumes that devices are secure and safe to use.
Just securing devices is not enough
Security of IoT infrastructure is more complex issue than just securing devices and services running in cloud. It involves both characteristics of securing the product development as well as securing the operational environment. Moreover, one needs to ensure security of IoT devices and developed cloud services within the product development.
From a threat point of view, unsecure devices can open access to backend systems. Where traditional embedded systems included attack vectors solely to local information, IoT devices can open access to other components of the ecosystem. This requires establishing more comprehensive security testing practices also to embedded system components, when they are essential part of a larger system.
Embedded devices contain firmware, which at worst are publicly available in the internet for update purposes. This means that anyone can download the binaries and reverse engineer them. It is not that uncommon to find backend system credential from poorly sanitized binaries. For embedded developers, this kind of threats require new kind of attention to secure binaries and sanitize all the secrets from binary.
In IT products, there has been number of security testing practices. Static application security testing (SAST), dynamic application security testing (DAST) and software composition analysis (SCA) provide decent combination of automated security testing to be used in application development. It is crucial not to disregard any certain type of security testing, automated or manual, as well as the evaluation of the needs and benefits as part of product risk assessment.
When SAST, DAST and SCA tools are integrated into CI/CD delivery pipeline, the security testing becomes continuous activity of the product development. Although the automated security testing is good starting point, there is also need for manual testing, including penetration testing. Layered approach is effective as different kind of tests mitigate different kind of threats. For example, firmware sanitization should be checked at least in manual tests regularly.
Securing product is not enough
Securing product is not enough. Security risks should be identified and assessed from whole supply chain to establish understanding of entire threat landscape. Protecting development environments and CI/CD-environments should not be neglected in any case. Poorly protected development environment can lead intentional or unintentional vulnerabilities in the products.
IoT product development security checklist:
- Define security level to pursue
- Establish risk management and threat modeling practices over all the developed components
- Define security requirements based on risks and threats
- Perform systematic security testing
- Implement processes to detect and mitigate internal and 3rd party vulnerabilities
- Establish procedures to publish security updates
- Secure development, testing and production environments
Where IT and embedded development used to have narrower context to secure, IoT ecosystem threat landscape is more widespread and diverse. This requires considering security from first development initiatives until the end of the product lifecycle. Although, operational environment has changed, systematic and organized security risk management and testing is still the key to success. Constant consideration of the product security from various viewpoints will ensure that product will also meet the security expectations of the customers.
Riku Nykänen, Security manager & consultant, RD Velho Oy