TENERIFE–Microsoft engineers, executives, and developers have spent much of the past decade spreading the gospel of the security development lifecycle (SDL), trying to convert people and organizations to the religion of building security into software and other products from the beginning of the process. That effort has succeeded in many ways, and now experts say it’s time to bring that thinking to the IoT world.
Security typically is not high on the list of priorities for companies building embedded and IoT devices. Threat modeling a smart TV or car navigation system isn’t something that many developers have experience doing, but these devices all present opportunities for attackers, who see them as computers like any other. The attack surfaces for these devices can be broad and not necessarily easily defendable.
Those factors make the lack of an SDL all the more problematic.
“Developing a product is like building a house. They both require a secure and strong foundation,” Harsha Banavara, a security analyst at Schneider Electric, a major maker of ICS and other gear, said in a talk at the Kaspersky Lab Security Analyst Summit here Tuesday.
The idea of an SDL did not originate at Microsoft, but the company has been one of the loudest proponents of the approach for many years. It’s a lesson that Microsoft learned the hard way in the early 2000s as attackers and customers both took notice of the numerous weak spots in Windows, Internet Explorer, and Office. Out of the pain of customer anger and public embarrassment came Microsoft’s initial forays into creating an SDL, a process that continues still.
Banavara said that IoT device manufacturers should follow the lead of traditional software makers before it’s too late to make the necessary changes. Right now, not many consumers are screaming and yelling about vulnerabilities in their IoT devices, but that may change if there’s a major attack that becomes public.
“An SDL reduces ambiguity, and it also helps in the marketplace,” Banavara said.
The privacy considerations raised by having an increasing number of devices capturing and transmitting data about their users and environments is also something that needs to be addressed. Many owners likely have no idea about the kind and volume of information smart devices gather.
“We’ve got more and more devices recording all of our conversations and the data is being sucked away for the companies to mine,” said Chris Rouland, CTO of Bastille Networks.
Image from Flickr stream of Scott Law.