Building secure software is the first step toward IoT security. As technology is advancing billions more devices are entering our life. As researchers used to say a few years ago, the Internet of Things (IoT) is rapidly becoming the Internet of Everything (IoE), since everything is becoming a computer—starting from the thermostat, stove, refrigerator, washer, dryer, vehicle, door locks—even things like lawn mowers and vacuum cleaners.
Significantly the number of connected devices has risen from about 7 billion to an estimated 30-plus billion in the past three years and the trend shows no sign of slowing. So, it's very crucial to look after the security and privacy of connected devices. Apparently, "smart" devices will be honeycombed with vulnerabilities that hackers will use to steal credentials and identities and coerce or blackmail users by threatening their physical safety. Mass data collection by Big Tech will make smartphones even more meddlesome surveillance trackers than they are now.
We could think of creating a world, where the software that powers all those devices has security and privacy controls built into it. It could also be structured to permit updates and patches as vulnerabilities are tracked down and threats evolve. Good software security can be the digital form of seatbelts, airbags, antilock brakes, lane assist, and other safety features in cars. They don't stop accidents, but they help drivers more protection when they happen. The technology, tools, and methods available to make the software run smoothly for the connected devices are much more secure and resilient. They just aren't getting used nearly as much as they should be.
The most alarming issue is that the users don't care about security but they primarily focused on the features and price of devices. Hence manufacturers give them what they want—cool features with a good price—without caring about IoT security. Major appliances like stoves, refrigerators, dishwashers, clothes washers and dryers, and so on have a lifespan of 10-plus years but with fewer security protections. They are also manufactured by companies that are experts in making quality hardware but they don't focus much when it comes to software security, mainly for the long run.
The process to make the future IoT safer is to create security in the software development life cycle (SDLC).
The standard SDLC has eight stages, which run throughout the life cycle of a product. The stages are as follows:
This stage includes depicting requirements for what the software will do and estimating the costs, scheduling, procurement needs, and employees needed to do it. It also consists of a security component: Threat modelling. Also referred to as "thinking like a hacker," the aim is to go beyond the standard list of known attacks and identify possible threats that are unique to how the system is built or to what the application or device is intended to do. Quality threat modelling includes featuring assets, threat agents, and controls to determine which element attackers are most likely to target. And then finding out remediation measures to reduce those threats. There are many benefits of threat modeling, but the most important is that it can save time and money.
Writing a detailed software code to attain the design requirements.
It is a process of assembling modern software by the developers. Some of the components are acquired from open-source libraries and from commercials.
It is the most important stage where a security team probes software for vulnerabilities at the end of the SDLC. It demands many testing tools, including static, dynamic, and interactive testing throughout development, and software composition analysis (SCA) to find vulnerabilities or licensing conflicts with open-source code. It also requires penetration testing before the software is installed.
This stage requires the development team to package, manage and deploy releases across different environments.
The software is made available in the production environment.
The software is applied in the production environment.
The management traces the performance of the software, including system performance, user experience, new security vulnerabilities, and analysis of bugs or errors in the system. This is the stage where updates or patches are sent out to users to close vulnerabilities or counter new threats.
Penetration testing uses a diversity of testing tools and manual tests to search and remove business-critical vulnerabilities in running web applications and web services, without the need for source code. It is a final chance to find and fix significant vulnerabilities before exposing those applications and services to the wider world, where malicious cyber-attackers will be looking for ways to compromise and exploit them. Obviously, it's best to have white-hat hackers find defects before the black hats reach them.
Synopsys offers two levels of pen testing, based on the risk profile:
As said earlier, there is no way to build perfect software. It is worth trying since that would likely mean never releasing a product. With an effective SSI and an SDLC that fixes security into software throughout that process. Most cyber-attackers are looking for easy targets. If your apps, services, and networks are difficult, chances are good that they will not target you.
The recent pandemic was unexpected and unknown to most part of the world. It has changed our life and we are slowly adapting to our new lifestyle. The risks associated with the new lifestyle, both personal & corporate, are unknown to most of us.Read Details