Security Assurance in the SDLC for the Internet of Things
During the Internet of Things (IoT) Village held at the from security defects. This article describes the Do you have DEF CON security conference in August 2016, 47 assurance techniques and processes involved in something new vulnerabilities affecting 23 IoT devices from 21 securing such applications and provides guidance to say about manufacturers were disclosed.1 Among these 47 on implementation across the IoT environment. this article? vulnerabilities were software-related vulnerabilities, Visit the Journal e.g., design flaws, hard-coded passwords, IoT Software Components pages of the ISACA® configuration secrets, cryptographic issues, and website (www.isaca. common coding flaws, such as buffer overflows, Each IoT component has its own software. How org/journal), find the invalidated inputs and command injection. can there be assurance that, while running in a real article and click on environment, the component is not allowing malicious the Comments link to The software running on the devices, gateways, persons to hack the software and get access to the share your thoughts. mobile and data center applications, and the data and information collected by devices? Secure interfacing application program interfaces (APIs) software development life cycle (S-SDLC) is the from which the services are consumed should be answer to software security assurance. Figure 1 subjected to assurance to ensure they are free depicts typical IoT components.
Figure 1—Typical IoT Components
Mobile Device 1 Applications
Device 2
Gateway or Cloud and Controller Data Center Device 3 Node Spplications
Bluetooth, MQTT, Wi-Fi Physical Zigbee, 6LOWPAN, Zwave Maintenance Device n Wired, Wi-Fi, 3G/4G Wi-Fi, 3G/4G Serial, Optical Ports
Source: S. Subramanian and B. Swaminathan. Reprinted with permission.
Sivarama Subramanian, CISA Balaji Swaminathan M., CISA, CISSP Is principal security architect at Cognizant Is a security architect at Cognizant Technology Technology Solutions, where he is leading the Solutions, where he is managing the integrated integrated vulnerability assessment delivery vulnerability assessment delivery and research, and research, enabling new service rollouts enabling new service rollouts, and aligning and aligning new security trends with customer new security trends with customer needs. Subramanian can be reached at needs. Swaminathan can be reached at [email protected]. [email protected].
1 ISACA JOURNAL VOL 3 featurefeature
Security should be embedded into the development • Unsigned firmware—Forcing the devices to cycle of the IoT components—be they the device download firmware from unauthorized sources firmware, gateway source code, application source without validation code or API source code. Following a secure SDLC approach would Applications in a typical IoT environment might fall mitigate the common coding flaws and software into one of the following categories: vulnerabilities related to IoT components.
1. Device applications that reside on the nodes Secure SDLC Steps to Address and gateways, e.g., a node.js- or python-based Common Coding Flaws and application running on a smart energy meter Software Vulnerabilities 2. Controlling applications that control and regulate the IoT environment, e.g., web-based or non- The cost of fixing a security bug varies depending web-based applications built on Java, Dot Net, on where it is discovered. If it is discovered in Perl or PHP, typically residing in the data center the production environment, the cost of fixing it or the mobile application operating system, from would include the tangible costs of the developer where the devices can be controlled effort, tester effort, user acceptance testing effort and deployment effort, and the intangible cost of 3. Consuming applications that receive data from reputation and customer trust. If it is discovered the devices for further processing, e.g., web- or during the design phase, then it is very easy to non-web-based applications, typically residing correct the design flaw and introduce a security in the data center, that perform analytics on the measure during the development phase. The cost of received data fixing a defect postproduction is approximately four 2 4. Relay services that format and transfer data times more than fixing it in the development stage. between different components, e.g., APIs, web services that transport the data across devices, applications and other IoT components The cost of fixing a defect There are two categories of vulnerabilities related to postproduction is approximately software. Those are:
1. An insecure web interface, which could allow some four times more than fixing it in of the following common attacks to take place: the development stage. • Injection attacks—Malicious execution of scripts, database queries, system-level commands injected to apps IoT software assurance is the level of confidence • Unprotected secrets—Cleartext/unencrypted and trust that software is free from vulnerabilities configuration secrets, keys and passwords (either intentionally designed into the software or accidentally inserted at any time during its life cycle) • Privilege escalation—Elevating user privileges and the software functions in the intended manner. and user impersonation Security assurance for IoT applications can be best 2. Insecure software/firmware that allows malicious achieved through the adoption of a defense-in-depth users to change the software or compromise the strategy, which, in turn, warrants having a secure device, which can be used as a BOT (software SDLC practice (figure )2 in place. The principal robot) device. The following are some common intent is to build security within the life cycle of attacks: these applications from ground zero that potentially • Firmware corruption—Sending malicious and gradually reduces the flaws in security, design, firmware that could improperly format the implementation and deployment. Proper adherence device logic or install a backdoor to such assurance best practices will result in applications devoid of vulnerabilities that might have
ISACA JOURNAL VOL 3 2 Figure 2—A Secure SDLC