Improving IoT With DevSecOps
From continuous code analysis and change management to vulnerability and compliance assessment, through DevSecOps, coders are developing secure coding processes and techniques from the very beginning – not at the tail end of the process as some afterthought or add-on. An area of intense interest these days is the Internet of Things (IoT), with a rapid push for many products to be given “smart” capabilities. Some of these have proved quite beneficial, such as the smartphone, while others, like the “smart water bottle,” seem more of a novelty than anything else. The one thing these devices have in common, though, is code.
Code is needed to make these devices perform their “smart” functions. Unfortunately, in the push to get products to market, this code is sometimes neglected and its security is often non-existent. With everything from coding flaws that lead to security compromises, to exposure of collected private user data, there have been plenty of headline-grabbing examples that smart device manufacturers want to avoid. Overall, the IoT coding arena is one that is certainly willing to adopt basic DevOps, but could benefit greatly from security through the adoption of DevSecOps.
Why These Things Are Important
You cannot hide anything from a determined attacker. Decompiling the accompanying application on the phone, intercepting firmware used in an update, and monitoring any and all communication coming in and out of an IoT device are all entirely possible, so the concept of “security through obscurity” just won’t work. The skills to do this may seem near magical to some, but they are not. There are security conferences where the latest tools and techniques for hacking and attacking IoT devices are a large part of the agenda, and you can find tons of free resources online to learn new techniques as well.
Compromises can mean serious consequences. A coding flaw in a smart toaster may not seem like a huge deal, but if a fleet of these toasters are used to flood a target with large volumes of Internet-clogging traffic to disable websites, it becomes a huge deal. Simple compromises can be scaled (because of the Internet), making digital mountains out of IoT molehills.
While the use of regularly-maintained libraries of code can be helpful and drastically speed up the coding process, using older or poorly-maintained coding libraries can cause issues, particularly if they contain security flaws. If an older, outdated library for a web interface is used in a device and contains a flaw, this could easily be exploited by attackers – regardless of what the device is. For example, many smart devices collect user data; a good example of this is smart televisions. If a common library used by the television manufacturer contains a security flaw that allows unauthorized access to data, it could impact a lot of users. If a newer version of the library exists, simply updating the code with the new version could fix the problem (assuming the updated code can be sent out to the affected televisions). However, more than one product could be using this older, vulnerable library, which could cause issues across multiple product lines within a single company.
Depending on the IoT device and how some of the apps work, there is also the chance you are storing customer data, which is its own animal to deal with. Even simple items like names, passwords, and email addresses can be serious if exposed.
DevSecOps to the Rescue
Fortunately, things are not so dire as one might think. The main idea behind DevSecOps is to be proactive rather than reactive. By developing and embedding the usual security safeguards and principles into the coding process from the beginning, you solve most of the security issues before they even start. And if some security issue does come to the forefront, you already have a structure in place to fix the issue.
Having a change management process for code development is great, and using tools to help with security code analysis at every step of the change process is an excellent method to adopt. Bear in mind that many flaws in code that have security implications also have reliability issues as well, so expanding the principals and scope of secure coding leads to a much more stable code base. Continued vulnerability assessment helps ensure a much more polished product, one that can meet some of the more rigorous compliance issues that software companies are facing. I’d also recommend making sure that your coders get regular training on secure coding practices, and don’t be afraid to send them to security conferences – especially those that focus on DevSecOps. This impacts the bottom line as well: If your code is cleaner and more secure, less time is spent going back and fixing past flaws, and more time is spent in other areas such as new features.
All of this basically boils down to the idea that you develop some security principles and goals, and integrate those into your development process. This type of integration can help eliminate a lot of the common pitfalls one reads about in security breaches involving IoT: hard-coded passwords or cryptographic keys, insecure communication protocols, improper data storage on the “thing” or mobile device or cloud instance, outdated libraries, and so on.
Added Competitive Advantage
While there are technical differences between security issues and privacy issues, most customers who purchase IoT devices see no difference between them. Having a smart refrigerator with “security features” may not resonate with customers, but being able to state you have “privacy features” could potentially be a deciding factor in a purchase. Given a couple of smart waffle irons at roughly the same price, the one that has been enhanced with privacy protection for the customer may have a slight advantage. No one wants their secret Belgian waffle addiction to be public!
Takeaways
If you apply DevSecOps principals to your development processes for IoT devices and include cloud, app, and even firmware into that cycle, you can end up with a more secure product, can brag about your new privacy features in advertising, and hopefully, you’ll be in the headlines for nothing but good reasons.
Mark Loveless
Mark Loveless is a Senior Security Researcher at GitLab. His past employers have included startups, large corporations, hardware and software vendors, and even a government think tank. He has spoken at numerous security and hacker conferences worldwide on security and privacy topics, including Black Hat, DEF CON, ShmooCon, RSA, AusCERT, SANS among others. He has been quoted in television, online, and print media outlets as a security expert, including CNN, Washington Post, New York Times, and many others. He loves blogging, performing death metal, ghost hunting, and is an ordained minister.