Building security into IoT software development

The Internet of Things (IoT) will create a software development surge unprecedented in scope and reach. And building security into IoT devices is crucial.

The original version of this post was published on IoT Now.

Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing ever happened.

—Winston S. Churchill

The Internet of Things (IoT) has brought us to a precipice that we have seen before: A new wave of software development is beginning to form that will crest in size beyond our ability to forecast. We saw it as applications moved onto the web and, more recently, as applications moved to mobile devices. In both cases, we did not stop to consider security until the toothpaste was already out of the tube and could not be easily put back.

IoT will create a surge in software development that will be unprecedented in scope and reach. Why? It’s simple.

First of all, a connected device is, by definition, connected to the internet. Anything connected to the internet can be discovered and potentially infiltrated.

Secondly, for the device to function with any degree of intelligence, there must be software. Software not designed and constructed to be secure will contain vulnerabilities that can be exploited to gain access to the device.

Finally, devices collect data and send them to a collection point in a back-end application. If the device is compromised, it becomes possible to extract this data. Infiltration of a device provides hackers a pivot point to reach other targets. For example:

  • For consumers, the access to the home router may provide a path into the home’s alarm system.
  • For businesses, intrusion into a HVAC system may provide a path to POS systems, such as what happened at Target.

The bottom line is that software is an immutable part of the equation, as is all of the associated security issues. Many of the industries building IoT devices and embedded systems do not have the same experience level with software security as their counterparts in financial services and may not have mature software security initiatives. One problem is that the developers writing the IoT software will assume the developers writing the back-end application are handling security. Meanwhile, the back-end application developers are assuming the mobile application developers are handling security. And so it goes.

In other words, we are doomed to repeat the sins from web application development and mobile application development. Somewhere the ghost of Churchill smiles wryly. So how do we not pick ourselves up and hurry off as if nothing ever happened?

Improve your IoT software security

 
Jim Ivers

Posted by

Jim Ivers

Jim Ivers

Jim Ivers is the senior director of marketing within Synopsys' Software Integrity Group where he leads all aspects of SIG's global marketing strategies, branding initiatives, and programs, as well as product management and product marketing. Jim is a 30-year technology veteran who has spent the last ten years in IT security. Prior to Synopsys, Jim was the CMO at companies such as Cigital, Covata, Triumfant, Vovici, and Cybertrust, a $200M security solutions provider that was sold to Verizon Business. Jim also served as VP of Marketing for webMethods and VP of Product Management for Information Builders.


More from IoT Security