First the bad news: Internet of Things (IoT) systems have created immense security holes. Now the good news: The problem can be fixed fairly easily.
That was the message from Jason Kent, Qualys’ Vice President of Web Application Security, during his recent webcast, “Aligning Web Application Security with DevOps and IoT Trends.”
“IoT doesn’t have to be scary. We have the knowledge on how to solve all these application security problems,” Kent said. “We just need to put focus on it.”
The effort to create awareness and shine a light on the issue of IoT security must be shared by IoT system manufacturers, application developers, and customers, including both businesses and consumers.
What’s the Problem?
It used to be that only computing equipment was connected to the internet, but now all sorts of previously offline “things” — consumer appliances, medical devices, industrial machinery, building equipment, vehicles — are also online.
Equipped with sensors of different sorts and for different purposes, these “things” collect valuable data from the physical world and transmit it, so it can be analyzed and acted upon, which, of course, yields many benefits. This connectivity also makes it possible to monitor and manage these “things” remotely.
“Important IoT application domains span almost all major economic sectors: health, education, agriculture, transportation, manufacturing, electric grids, and many more,” reads a recent OECD (Organisation for Economic Co-operation and Development) report titled The Internet of Things: Seizing the Benefits and Addressing the Challenges.
“Proponents of IoT techniques see a world in which a bridge’s structural weaknesses are detected before it collapses, in which intelligent transportation and resilient electrical grids offer pleasant and efficient cities for people to live and work in, and in which IoT-supported e-applications transform medicine, education, and business,” states the OECD.
Unfortunately, security with regards to IoT has been an afterthought, and, considering that already there are billions of connected “things,” this has opened up a vast universe of new attack opportunities for cyber criminals that want to:
- steal confidential information from individuals and businesses
- tamper with these “things” in order to create chaos
- distribute malware
- hijack the computing capacity and network bandwidth of these “things” to carry out massive strikes
In what’s probably the highest-profile IoT attack to date, hackers infected more than 100,000 connected devices (mostly security cameras and DVRs) with Mirai malware , created a gargantuan botnet, and used it to blast DNS (domain name system) provider Dyn with a vicious DDoS (distributed denial of service) attack that slowed and knocked offline many popular websites last October.
AppSec: A Straightforward Solution to the Big IoT Problem
The key to protecting IoT is far from a mystery, according to Kent. “IoT doesn’t change the game,” he said.
In fact, the necessary tools, best practices and processes are well-known and available in the application security field. As such, the IoT security problem is part of a broader challenge — namely that app security hasn’t received the attention it deserves.
“Many organizations are just now discovering AppSec,” he said.
What compounds the problem for IoT systems is that many of their manufacturers have little to no experience nor expertise with application development, delivery and, even less, security. And yet, here they are, suddenly pushed by market forces to internet-enable their products.
IoT products contact a central service — usually hosted on a public cloud platform — built on top of standard application stacks. IoT services are usually based on REST (Representational State Transfer) and look almost exactly like regular web application URLs. In other words, an IoT service is a type of web app.
This means that all web app attack vectors apply to IoT, such as SQLi and XSS, as well as the ways of preventing breaches. “As we march through this, we have to have a good understanding of where are the places where we need to secure things,” Kent said.
Enter DevOps and a Secure Software Development Lifecycle
An effective antidote to flawed, unsafe code is DevOps, a novel approach for software development and delivery that emphasizes constant communication and collaboration among everyone involved in an application’s lifecycle.
It’s meant to replace the traditional “waterfall” development method, in which an application is created during a long, sequential process lasting up to two years and where the different teams have little to no interaction with each other.
When properly adopted, DevOps knocks down the walls separating developers, operations staff, QA/testing and security, and creates a shared sense of ownership and accountability among members of the now integrated group for the quality of the end product.
DevOps establishes an iterative process in which developers get feedback from ops, QA and security early and often. The result is software that’s delivered in small chunks, faster, more often, with fewer bugs and more securely.
“It gives visibility to the right people to be able fix the problems at the right times,” said Amy DeMartine, a Forrester Principal Analyst who was a guest speaker during the webcast.
DevOps is often described more as a philosophy about changing the approach and culture of the app dev assembly line, but it’s enabled in practice by a new breed of automated tools for continuous software integration, delivery, code review and security checks.
In the development process, there should also be a code repository with open source or commercial components that the organization knows are safe for programmers to use, so that they don’t insert vulnerable software into the application.
“When we move to a more modern AppSec focus, we allow for ourselves to plug in the security pieces that we need and we don’t have to have an entire suite of experts,” Kent said.
It Takes a Village
IoT manufacturers need to adopt these strategies, tools, best practices and processes for agile and secure software development, according to Kent, who met recently with such an organization and was floored by its lack of AppSec awareness and expertise.
In addition, the IoT industry needs to develop security standards, much like the credit card industry came up with its Payment Card Industry Data Security Standard (PCI DSS).
Meanwhile, customers, including consumers, need to become more active and vocal about asking IoT manufacturers about the security of their products, and demanding answers.
“The consumer can really help out here,” Kent said. “If it’s your focus, it will become their focus.”
View the recorded webcast, “Aligning Web Application Security with DevOps and IoT Trends.”