The Internet of Things (IoT) holds great promise for the future of technology, but it also presents considerable risk for users. Today's waves of Internet-enabled devices — and the applications they run — are designed to be as inexpensive as possible. But sometimes, those savings come at the cost of security. Going forward, developers working on IoT apps and devices have to keep security in mind to ensure customer safety.
The issue with IoT devices and apps is not only that they are plentiful, but that they hold incredibly valuable information. Going beyond device and information theft, IoT devices such as home security systems and automobiles allow access to people's most valuable possessions, and they can cause endless headaches if they get hacked.
The issues surrounding IoT apps, as discussed in a Network World article on the topic, are snowballing as developers are pressured to get devices either to the marketplace or into use within an enterprise as soon as possible. This is compounded by the fact that many of these apps are built on open-source components or use open-source libraries, meaning one small vulnerability can affect a number of disparate devices.
These devices are also making networks less secure, since many of them are connected to otherwise secure networks (such as those at large businesses) without IT fully understanding that a new set of devices is now part of the network. Should one of these devices present a vulnerability to the network, the wide-ranging effects could be devastating.
While some of the responsibility to secure these devices and applications will fall to users (and those who allow them on their networks), the brunt of the effort to secure them has to be handled by IoT app developers.
For enterprises developing IoT apps for either internal use or for products, the first step has to be integrating security into the earliest phases of the development process without hampering development's ability to meet its deliverables. As Agile development expands, enterprises are seeing the dividends of getting new software into production at a fast pace. However, this can also make adopting secure practices difficult, as each small Agile team will have a different mind-set regarding security and how it should be worked into code.
The security issues with IoT apps are further complicated by the widespread use of third-party code. All the secure development practices used on in-house code won't matter if outsourced pieces are insecure, and this problem will only grow as apps become more complex and require integrating more outsourced code. Businesses must find holistic solutions that can simultaneously ensure in-house code is being developed securely and that external pieces can withstand modern cyberattacks.
One viable solution is to turn to a dedicated vendor that has experience in all aspects of application security. These vendors can provide the tools required to test applications as they are being developed, including static testing, which can scan code outside of runtime and find vulnerabilities that dynamic scans can miss. These vendors also have experience integrating security into the Software Development Lifecycle, relieving some adoption-related stress from CISOs and their teams.
There are also tools available that can greatly assist in securing third-party code. Along with standard penetration tests and dynamic scans, binary static testing can investigate source code for weaknesses without requiring access to it.
With a cloud-based security solution, these types of strict security measures and tests can be seamlessly rolled out to an entire enterprise over a short period of time. This not only expedites overall security projects, but since the cloud-based solution will be automatically updated as different threats come into prominence, it also helps make sure all the Agile teams use the same set of security checks.
Within a few years, the IoT will be so widespread that every enterprise will have thousands — if not millions — of Internet-enabled devices or applications in use. With this popularity comes the ever-present risk of attack. Enterprises must put in the effort now to ensure they are developing securely, or they risk leaving their networks open in the future.
Learn more about the risks posed by the Internet of Things with this whitepaper from the CA Veracode Research Team: https://info.veracode.com/whitepaper-the-internet-of-things-poses-cybersecurity-risk.html
Photo Source: Flickr