The three golden rules for software security in the IoT

Violations in coding could be exposing IoT devices to problems that are already well known

 The three golden rules for software security in the IoT

The Internet of Things (IoT) landscape is evolving rapidly. It seems like a week doesn’t go by where a new connected device is launched onto the market. However, this brings with it increasing reports of computer glitches, technical failures and security breaches of such connected devices. So does more connectivity have to mean more downtime?

Recently, Fiat Chrysler recalled 1.4 million vehicles as a result of the Jeep hacking revelation, proving the health of the applications behind connected devices is under greater scrutiny than ever.

No matter whether it’s internal or external which causes such software outages, the security and stability of business applications is paramount to the continued success of many businesses.

Software is often blamed for glitches and cyber attacks because it is invisible, complex and almost impossible to entirely protect from disruptions and breaches. These complexities will only grow with the IoT and can’t be avoided.

> See also: How to prevent the IoT from becoming the Internet of Thieves 

For any organisation developing a product for IoT, understanding the importance of a secure architectural foundation for all software and insisting all internal and external developers comply with industry standards is a priority.

With this ‘ever expanding’ market one may think poorly-written software wouldn’t be the greatest issue. This is far from the truth. We have seen many recent examples of when violations of good coding and architectural practices make an application less reliable and secure.

Such situations leave developers of IoT devices exposed to problems which can destroy reputations and revenues. In the IoT ecosystem, first to market is the competitive driver and so developers are under further time pressure to get products released.

However, this can mean sacrificing quality and dependability for speed. Despite developers’ best intentions, management is always looking for short cuts. Third-party components help offload some of the burden, but in the IoT, with more complexities to mitigate components needs to be maintained and updated to address future or unforeseen problems, just like security vulnerabilities, much faster.

In order to meet these demands, developers should follow the 'Three golden rules for software security in the IoT'.

Code review and repeat testing

The first of these golden rules is the need to prioritise code review and repeat testing. It is the responsibility of the manufacturer to communicate this to the development team, and for them to call for stricter software quality measures to be put in place.

One miscommunication between an application, a sensor and a hardware device can cause systemic failure – something organisations can’t afford to happen.

Robust code review and repeat analysis are the keys to creating a secure foundation. Without this, there is no way of being able to have a quantifiable analyse and measure an application’s source code.

Particular focus must be paid to application health factors designed to reduce risk, such as improving robustness, efficiency and foundational security, and improve its maintainability, such as changeability and transferability.

The plethora of stories about IT glitches shows software failure is something to be expected, a normal part and cost of doing business. It shouldn’t be. In any business, acting quickly on these challenges and solving them can improve its standing and maintain its competitive advantage.

Whichever method of identification and analysis of software quality is used, response to technology failures rests on the firms’ willingness to address the problem promptly or risk mishap after mishap taking its toll on their reputation.

Continuous development in the connected world – are businesses ready?

According to a report from IDC, the IoT market will become one of the most robust markets over the next few years, with an expected growth of 19% this year. The connected world is set to continue to see significant growth for at least a decade, and with new deployments becoming business-as-usual and updates to software and devices happening automatically.

Often, such updates will be pushed automatically, perhaps several times a day. If the software isn’t continuously monitored and the code evaluated, this almost certainly guarantees failure.

Implementing a software quality assurance benchmark on the software that interacts with IoT devices will become a standard operating practice. Thanks to the complexity of IoT, if the software and its patches aren’t continuously monitored and the code evaluated, this almost certainly guarantees failure.

For many organisations, software quality assessment is regarded as having little importance. There are a number of methods and solutions that can identify security flaws in the software.

One option involves inviting ‘White-Hat’ hackers to find vulnerabilities within software (like Volkswagen hiding a big security flaw that researchers had found). For those who would rather keep it in-house, there are software analytics solutions and static-code analysis tools available.

Management must take responsibility

Lastly, it is the responsibility of the management team to be accountable for the software assurance of any products or devices being launched into the IoT market. Any manufacturer without analytics which tracks its software risk – whether reliability, security or performance of the particular software – will be negligent in their responsibility to customers and its duty to its shareholders.

The technical debt incurred by trying to 'make do' with, and add onto, the existing software configurations far exceeds the cost of doing it properly. On average, it costs $7,600 to fix one security bug found during production, but it is often ignored.

By contrast, one breach or shutdown of the system can cost millions to fix after the attack. The average cost of a data breach is said to be $3.8 million and the average cost of an application failure is said to be $500k – $1million per hour. This makes $7,600 seem like a bargain.

There are significant standards and initiatives surrounding quality which help manufacturers and IT departments have a consistent way of measuring the quality of their software.

The Object Management Group (OMG) recently approved a set of global standards proposed by the Consortium for IT Software Quality (CISQ), that helps companies quantify and meet specific goals for software quality. CISQ’s

measurement standards include security, reliability, performance efficiency and maintainability. This will allow businesses to ‘certify’ the quality their code bases and IoT networks.

> See also: Will the Internet of Things be more damaging to security policies than BYOD?

Software glitches don’t make the headlines as much as data breaches do, which can cost an organisation over $100 million due to poor code quality. Over the past year, we have seen a number of well-known technical and retail brands suffer financial and reputational damage from software disasters. This sees software issues being driven out of the back office and into the boardroom.

Aside from the need for software measurement and analytics, education must be front and centre when it comes to ensuring software security in the IoT.

There needs to be clear communication with peers about the direct link between software quality and security. Security vulnerabilities caused by poor coding or system architectural decisions can be some of the most expensive to correct.

Due to its nature, size and complexity, software is almost impossible to completely protect from disruptions and breaches and in the IoT, those complexities will just expand as more devices are added to the network.

Understanding the importance of a secure architectural foundation and insisting that developers comply with industry standards will lead to greater software safety and security of IoT devices.

Sourced from Lev Lesokhin, EVP, Strategy at CAST

Comments (0)