Software Integrity Blog


Building security into IoT software development

Originally posted on IoT Now

“Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing ever happened.”
Winston S. Churchill

The Internet of Things (IoT) has brought us to a precipice that we have seen before: a new wave of software development is beginning to form that will crest in size beyond our ability to forecast. We saw it as applications moved onto the Web, and, more recently, as applications moved to mobile devices. In both cases, we did not stop to consider security until the toothpaste was already out of the tube and could not be easily put back, says Jim Ivers, Senior Director of Marketing at Synopsys Software Integrity Group.

IoT will create a surge in software development that will be unprecedented in scope and reach. Why? It’s simple.

First of all, a connected device is, by definition, connected to the Internet. Anything connected to the Internet can be discovered and potentially infiltrated. Secondly, for the device to function with any degree of intelligence, there must be software. Software not designed and constructed to be secure will contain vulnerabilities that can be exploited to gain access to the device. Finally, devices collect data and send them to a collection point in a back end application. If the device is compromised, it becomes possible to extract this data. Infiltration of a device provides hackers a pivot point to reach other targets. For example:

  • For consumers, the access to the home router may provide a path into the home’s alarm system.
  • For businesses, intrusion into a HVAC system may provide a path to POS systems, such as what happened at Target.

The bottom line is that software is an immutable part of the equation, as is all of the associated security issues. Many of the industries building IoT devices and embedded systems do not have the same experience level with software security as their counterparts in financial services and may not have mature software security initiatives. One problem is that the developers writing the IoT software will assume the developers writing the back-end application are handling security. Meanwhile, the back-end application developers are assuming the mobile application developers are handling security. And so it goes.

In other words, we are doomed to repeat the sins from web application development and mobile application development. Somewhere the ghost of Churchill smiles wryly. So how do we not pick ourselves up and hurry off as if nothing ever happened?

Protect yourself from the IoT software security tidal wave.

More by this author