Integrating the IoT Into Your Application Security Program
The Internet of Things (IoT) is here, but is your security program ready to handle it? For many reasons, such as network complexity, limited visibility, politics and other challenges that come along with emerging technologies in the enterprise, your organizations is likely underprepared.
To get up to speed, a good place to start is your application security program. Sure, the IoT is made up of traditional network systems and need to be managed in that regard. However, these systems are very application-centric. They’re designed to do something, so they tend to have larger software attack surfaces compared to traditional network hosts. That means you need to look beyond and above the network layer — all the way up the stack to the application layer — if you’re going to find, fix and manage security risks across your IoT environment.
Is Your Application Security Program Ready for the IoT?
To me, a great way to manage the critical aspects of IoT security is to integrate these systems with your application security program. The systems themselves will still need traditional network security management components involving inventory and asset control, system monitoring, patching and the like. Since the largest attack surface is at the software layer in most cases, why not pull IoT systems under the umbrella of application security?
In my focused work testing IoT systems for security flaws, I’ve found that not only are the application-level flaws all over the map, they’re different for every device. This includes flaws such as:
- SQL injection, a flaw that permits the direct injection of SQL commands, which allows for direct database access and queries, and sometimes full system control;
- Network communication exposures, which are flaws brought about by known exploits in Secure Sockets Layer (SSL) and Transport Layer Security (TLS) as well as good, old-fashioned cleartext communications using Hypertext Transfer Protocol (HTTP), file transfer protocol (FTP), simple mail transfer protocol (SMTP) and related protocols;
- Weak user credential management, which permits users to set weak passwords, facilitates subsequent password cracking and makes password reset functions exploitable; and
- HTTP redirection and open proxies, which enable network users, cybercriminals and malware to bypass network security controls and cover their tracks while attacking others via IoT systems.
The main focus of my clients in the context of IoT security — both IoT manufacturers and end users — is typically at the operating system (OS) and network levels. This includes options such as simple network management protocol (SNMP), audit logging and USB port management.
Those can still be areas of weakness, especially when reviewed from the perspective of a logged-in root user or administrator. Application-layer flaws still make up the bulk of any such IoT security assessment.
The Importance of the Application Layer
I’ve seen a lot of IoT systems and entire IoT environments that are out of the scope of enterprise security standards, policies and procedures. Even ongoing vulnerability scans and penetration tests seem to look at everything but the IoT.
Your security program may be similar at the moment, but you need to start thinking about how to integrate IoT into the mix. Don’t overlook the importance of the application layer. This not only includes standards and policies, but also your software development life cycle and the source code analysis of IoT systems. If you focus on IoT security at the application layer, you can implement the Pareto Principle and find the 20 percent of the flaws that are creating 80 percent of your challenges within these systems.