The Internet of Things (IoT) is here, but is your security program ready to handle it? For many reasons, such as network complexity, limited visibility, politics and other challenges that come along with emerging technologies in the enterprise, your organizations is likely underprepared.

To get up to speed, a good place to start is your application security program. Sure, the IoT is made up of traditional network systems and need to be managed in that regard. However, these systems are very application-centric. They’re designed to do something, so they tend to have larger software attack surfaces compared to traditional network hosts. That means you need to look beyond and above the network layer — all the way up the stack to the application layer — if you’re going to find, fix and manage security risks across your IoT environment.

Is Your Application Security Program Ready for the IoT?

To me, a great way to manage the critical aspects of IoT security is to integrate these systems with your application security program. The systems themselves will still need traditional network security management components involving inventory and asset control, system monitoring, patching and the like. Since the largest attack surface is at the software layer in most cases, why not pull IoT systems under the umbrella of application security?

In my focused work testing IoT systems for security flaws, I’ve found that not only are the application-level flaws all over the map, they’re different for every device. This includes flaws such as:

  • Cross-site scripting (XSS), a flaw that facilitates client-side exploits and malware propagation through JavaScript and similar code;
  • SQL injection, a flaw that permits the direct injection of SQL commands, which allows for direct database access and queries, and sometimes full system control;
  • Network communication exposures, which are flaws brought about by known exploits in Secure Sockets Layer (SSL) and Transport Layer Security (TLS) as well as good, old-fashioned cleartext communications using Hypertext Transfer Protocol (HTTP), file transfer protocol (FTP), simple mail transfer protocol (SMTP) and related protocols;
  • Weak user credential management, which permits users to set weak passwords, facilitates subsequent password cracking and makes password reset functions exploitable; and
  • HTTP redirection and open proxies, which enable network users, cybercriminals and malware to bypass network security controls and cover their tracks while attacking others via IoT systems.

The main focus of my clients in the context of IoT security — both IoT manufacturers and end users — is typically at the operating system (OS) and network levels. This includes options such as simple network management protocol (SNMP), audit logging and USB port management.

Those can still be areas of weakness, especially when reviewed from the perspective of a logged-in root user or administrator. Application-layer flaws still make up the bulk of any such IoT security assessment.

The Importance of the Application Layer

I’ve seen a lot of IoT systems and entire IoT environments that are out of the scope of enterprise security standards, policies and procedures. Even ongoing vulnerability scans and penetration tests seem to look at everything but the IoT.

Your security program may be similar at the moment, but you need to start thinking about how to integrate IoT into the mix. Don’t overlook the importance of the application layer. This not only includes standards and policies, but also your software development life cycle and the source code analysis of IoT systems. If you focus on IoT security at the application layer, you can implement the Pareto Principle and find the 20 percent of the flaws that are creating 80 percent of your challenges within these systems.

Download the Ponemon Institute State of Mobile & IoT Application Security Study

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today