The Internet of Things (IoT) is here, but is your security program ready to handle it? For many reasons, such as network complexity, limited visibility, politics and other challenges that come along with emerging technologies in the enterprise, your organizations is likely underprepared.

To get up to speed, a good place to start is your application security program. Sure, the IoT is made up of traditional network systems and need to be managed in that regard. However, these systems are very application-centric. They’re designed to do something, so they tend to have larger software attack surfaces compared to traditional network hosts. That means you need to look beyond and above the network layer — all the way up the stack to the application layer — if you’re going to find, fix and manage security risks across your IoT environment.

Is Your Application Security Program Ready for the IoT?

To me, a great way to manage the critical aspects of IoT security is to integrate these systems with your application security program. The systems themselves will still need traditional network security management components involving inventory and asset control, system monitoring, patching and the like. Since the largest attack surface is at the software layer in most cases, why not pull IoT systems under the umbrella of application security?

In my focused work testing IoT systems for security flaws, I’ve found that not only are the application-level flaws all over the map, they’re different for every device. This includes flaws such as:

  • Cross-site scripting (XSS), a flaw that facilitates client-side exploits and malware propagation through JavaScript and similar code;
  • SQL injection, a flaw that permits the direct injection of SQL commands, which allows for direct database access and queries, and sometimes full system control;
  • Network communication exposures, which are flaws brought about by known exploits in Secure Sockets Layer (SSL) and Transport Layer Security (TLS) as well as good, old-fashioned cleartext communications using Hypertext Transfer Protocol (HTTP), file transfer protocol (FTP), simple mail transfer protocol (SMTP) and related protocols;
  • Weak user credential management, which permits users to set weak passwords, facilitates subsequent password cracking and makes password reset functions exploitable; and
  • HTTP redirection and open proxies, which enable network users, cybercriminals and malware to bypass network security controls and cover their tracks while attacking others via IoT systems.

The main focus of my clients in the context of IoT security — both IoT manufacturers and end users — is typically at the operating system (OS) and network levels. This includes options such as simple network management protocol (SNMP), audit logging and USB port management.

Those can still be areas of weakness, especially when reviewed from the perspective of a logged-in root user or administrator. Application-layer flaws still make up the bulk of any such IoT security assessment.

The Importance of the Application Layer

I’ve seen a lot of IoT systems and entire IoT environments that are out of the scope of enterprise security standards, policies and procedures. Even ongoing vulnerability scans and penetration tests seem to look at everything but the IoT.

Your security program may be similar at the moment, but you need to start thinking about how to integrate IoT into the mix. Don’t overlook the importance of the application layer. This not only includes standards and policies, but also your software development life cycle and the source code analysis of IoT systems. If you focus on IoT security at the application layer, you can implement the Pareto Principle and find the 20 percent of the flaws that are creating 80 percent of your challenges within these systems.

Download the Ponemon Institute State of Mobile & IoT Application Security Study

More from Application Security

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today