A working group from the Cloud Security Alliance (CSA) published a report to help guide Internet of Things (IoT) developers and designers with security controls in 13 key areas to improve security in IoT products. The security guidance covers secure development, platform security, data/privacy protection, key management and secure communications, just to name a few.
The timely report was issued shortly before the recent IoT-driven cyber attacks on Dyn that affected dozens of major websites in October.
The distributed denial of service (DDoS) attack on Dyn, a major domain name system provider, emphasized the dangerous reality of how millions of vulnerable consumer and enterprise connected IoT devices could be weaponized for cyber attacks on internet and enterprise resources.
Gartner says that 6.4 Billion devices would be online this year. The enormous volume and variety of IoT devices emphasizes the critical need for IoT standards and guidelines. Thus, the timing of the CSA IoT Working Group report, titled “Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products,” could not have been better.
We have highlighted and summarized some of the key points from the CSA report that stood out the most to us. This article is the first in a five part series that emphasizes IoT security and security best practices that can also be used for small businesses and enterprises to help improve their overall security program.
The IoT security article series is broken up into the following areas:
- Part 1: Security of Development and Integration Environments for IoT
- Part 2: How to Establish Framework, Platform Security and Privacy Protections for IoT
- Part 3: Hardware-based Security Controls for IoT
- Part 4: Improving Data Security with Secure Communications, Applications and APIs for IoT
- Part 5: Secure Authorization, Authentication and Access Control for IoT
We tried to dissect the report into strategic areas that may be of interest to you if you are more limited on time and need a quick executive summary. We’ll start with the first part that focused on IoT secure development and integration.
Part 1: Security of Development and Integration Environments for IoT
CSA outlines a series of 13 activities that can be used by organizations to enhance security of IoT products. The first two include guidelines on secure development of IoT products and also recommendations on how to implement secure development and integration environments.
Secure development methodology
According to the CSA report, secure development starts with Threat Modeling, used to identify top security threats and potential product flaws that can be attacked and should be addressed.
A good place to start is with the Open Web Application Security Project (OWASP) IoT top 10 surface areas, such as IoT devices, cloud, mobile apps, network interfaces, software, USB ports, physical security and use of encryption and authentication.
Organizations must understand the types of threats such as distributed denial of service attacks (similar to Dyn attacks), information disclosure, elevation of privileges, bypassing physical security and tampering with data, to name a few.
Key security requirements to consider
Some of the security requirements that should be part of secure development processes:
- Use security baselines and standards (such as DISA STIGs) to harden devices and reduce attack surface.
- Build secure processes into IoT product development (e.g., see Cigital’s Building Security in Maturity Model (BSIMM) that consists of 4 domains and 12 practices such as governance, intelligence, secure development touch points and deployment.
- Perform safety impact assessment: consider safety impacts if IoT products/services were compromised; consider other devices/services that could also be impacted with your IoT product/service.
Implement a secure development and integration environment
Software and hardware systems must also be developed and configured securely. The CSA guidelines provide some good examples of industries that have been successful in developing IoT products to include the Motor Industry Software Reliability Association (MISRA) and their secure coding practices for C and C++.
It is further recommended to setup an Integrated Development Environment (IDE) used by developers. IDE often includes security services such as Interactive Static Analysis used to scan/detect and mitigate software vulnerabilities in the code.
See more on OWASP ASIDE project. ASIDE stands for Application Security plugin for Integrated Development Environment, which according to OWASP is an Eclipse Plugin, “a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.”
Don’t forget to also check IoT devices for memory management vulnerabilities, hard-coded credentials and authorization bypass flaws.
Testing and code quality
The Working Group also recommends developers have a feedback loop between making and observing changes as part of agile methodology. See Martin Fowler’s Test Pyramid (for testing products).
Developers should also make sure open source libraries are vetted, from a reputable source and stored securely in a repository after validated. Monitor source code regularly.
Developers can utilize tools such as GitHub and GitLab for critical configuration management needs, such as repository management, issue tracking, code review and more.
For more on IoT security, read the next part 2 (in our 5-part series): “How to Establish a Framework, Platform Security and Data Protections for IoT.”