https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


narapornm, by Thinkstock

Pile of question marks on colorful sticky notes

5 Questions to Ask Your Software Providers About Cybersecurity

When it comes to software, 90% comes from sources outside of your control. Are you doing all you can to make sure it does not contain weaknesses and vulnerabilities that could bite you later on down the road?
  • Written by Robert Vamosi
  • 27th July 2016

Congratulations! You’ve taken the first steps to get that great IoT idea of yours into production. You’ve even hired a team of software engineers to build out your dream. But in the rush to market, software security (and security in general) cannot be an afterthought with IoT. Unlike a server crash in an enterprise, failure of an IoT component can result in direct physical harm. Think of medical devices. Or connected cars. Or industrial control systems.  

In-house software engineers are perhaps the one element that is under your control. Proprietary code can and should be tested within your agile software development lifecycle using static analysis software testing (SAST) tools. If you aren’t already testing your own code, you should consider doing so now. Performing software security and quality tests while you code dramatically reduces engineering costs later.

However, up to 90% of software developed today comes from sources outside your immediate control. This includes both commercially available software you may license as well as free open source software. Some open source software even has its own license requirements which, if you are not careful, may require you to expose your proprietary code at some point.

Often the inclusion of third-party software is done out of practicality. For example, you may not be familiar with all the ins and outs of SSL/TLS, so why reinvent the wheel when someone else has perfected it already? It may benefit your organization to use something like OpenSSL, or to purchase an existing commercial SSL package.

While relying upon a supplier may satisfy an immediate goal — get your product out to market sooner — you may experience some regret (and costs) if that product is later found to contain software weaknesses and vulnerabilities.

Once your smart device gets out into the field, its gets significantly harder to update — if your device even allows for updates. Some IoT devices communicate regularly with the internet, so updates may already be built into those communications. Other devices may require the user to download and install updates themselves. Still, other devices may not have the physical capacity to update and this may require a costly replacement of that device in the field.

So, as you develop your product/idea/concept, here are some things you should be asking your software supply chain partners.

  1. Have you tested your third-party software against known software vulnerabilities? The MITRE organization publishes a list of known vulnerabilities, technically known as Common Vulnerabilities Exposures or CVEs. These can be found listed on the National Vulnerability Database. An automated Software Composition Analysis tools can check third-party software and identify any known issues.
  2. Have you tested your third-party software against known software weaknesses? In addition to exploitable vulnerabilities, you need to be aware of common software weaknesses that can lead to future vulnerabilities and potential exploits. The MITRE organization also maintains a list of common software weaknesses. The Open Web Application Security Project or OWASP publishes a Top 10 list every three years identifying similar weaknesses. And the SANS organization publishes its own Top 25 list. An automated static analysis tool will perform these checks.
  3. Do you know what’s in your third-party software? Some open source projects require that you make your source code public. Additionally, there are rules around licenses that could involve future legal actions. Better to know up front. Here again, a good software composition analysis tool can identify open source licenses, allowing you to determine whether or not you should go forward (or least know upfront what the hidden costs might be).
  4. Do you know where your data is? Beyond testing the firmware in your device, web and mobile application testing is equally important. How the user interacts with your device or even how the device interacts with the Cloud could expose data in ways you didn’t intend. Agile runtime security analysis or Interactive Application Software Testing (IAST) can identify unintended visibility of sensitive data as it interacts with your software or the Cloud.
  5. Finally, have you tested your software against unknown software vulnerabilities? Seriously, you can identify unknown vulnerabilities using a testing technique known as Fuzz Testing, also known as negative input testing or malformed input testing. The idea here is to create malformed inputs that can trigger a crash or signal the presence of a new vulnerability. While you can shoot-for-the-moon and test for every conceivable form of malformed input, you can also rule out a vast number of these scenarios and only focus on specific protocols and therefore be more efficient with your tests.

In production, your hardware will go through a sign off process, where each component is tested separately before inclusion into the final design. Why not do the same with your software and test each component – whether you wrote the code or someone else did? Adding incremental testing — building in quality and security along the way — will help launch your product successfully and reduce the overall costs of product management significantly.

Tags: Article Embedded Computing Security Technologies

Related


  • How Industrial Edge Fuels Real-Time IoT Processes
    IoT processes such as product quality control, have gained new life at the industrial edge for real-time data and response.
  • IoT security
    Zero-Trust Security for IoT: Establishing Rigorous Device Defenses
    IoT security pros can benefit from zero-trust security to authenticate rogue devices that try to connect to a network. Zero trust should be the hallmark of your IoT strategy.
  • Edge computing
    Emerging Edge Cloud Architecture Continues to Shake Out
    Edge cloud architecture is going to bring about new capabilities. But as data-intensive functionality comes together at the edge, technologies need to develop, then converge, first.
  • Training and Development on the Mechanism of Metal Gears. in the design of information related to business
    Turning to Rust Development For IoT Performance
    If you haven’t heard of it, Rust is an up-and-coming programming language that provides secure application performance for device-run code.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Jetting to the Stars Using Containers for Development
  • ‘Edge NLP’ Is About Doing More With Less
  • IoT Device Security: Risk Assessment, Hygiene Are Key
  • Five Principles in a Zero-Trust Security Approach to IoT

News

View all

Webex Collaboration Banks on Hybrid Workplace Model at Cisco Live 2021

2nd April 2021

Cisco Enlists Networking Automation, CX Cloud in COVID-19 Response

31st March 2021

White Papers

View all

Telehealth and COVID Infographic

30th March 2021

Medical Supply Chain Management with Smart Devices and Sensors

30th March 2021

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

Real-Time Analysis of Driver Behavior Using Machine Learning

13th May 2021

Weber’s Journey: How a Top Grill Maker Serves Up Connected Cooking

25th February 2021

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

Embedded IoT World 2021

28th April 2021 - 29th April 2021

The Virtual Industrial AI Summit

29th June 2021 - 30th June 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

How Smart Environments Will Take Shape Post-COVID-19 dlvr.it/RxfPG2 https://t.co/Y6DMWxZf9S

14th April 2021
IoTWorldToday, IoTWorldSeries

IoT Enterprise Deployments Continue Apace, Despite COVID-19 dlvr.it/RxWwsS https://t.co/BSkxdf17vs

12th April 2021
IoTWorldToday, IoTWorldSeries

🥳Happy #IoTDay! How are you celebrating? We're giving $50 off All Access Passes to join our upcoming virtual event,… twitter.com/i/web/status/1…

9th April 2021
IoTWorldToday, IoTWorldSeries

🎉 Announcing #EIOTWORLD sponsor, @InnoPhaseinc — a fabless wireless semiconductor platform company specializing in… twitter.com/i/web/status/1…

8th April 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X