“Security is everyone’s job”

Security-by-design has long been touted as an answer to the current threats facing the Internet of Things (IoT) landscape, but this will only happen if pen testers and developers meet each other halfway.

That’s according to Jay Harris, a security researcher at Manchester-based security consultancy Digital Interruption.

“We need to push security close to the beginning of the process,” he said, speaking at the BSides Leeds hacking conference last weekend.

“We need to put it in the hands of the developers and testers who are already on a team.”

Harris thinks that the answer to IoT security challenges lies in creating a more effective workflow between developers and pen testers – an approach that’s not without its problems.

“From the developers’ point of view, they’re spending a small fortune on someone coming in to do a pen test, and what they get back is a 50-page argument saying that we’ve found all these problems,” Harris said.

“We [pen testers] are there to say you can’t go live, your application is broken, you can’t do this – you can’t do your job.”

Harris added: “But if we integrate security [then] it becomes part of a company’s ethos and their culture.

Security from the ground up

Thinking about security from the outset partly means that security requirements should be implemented at the beginning of the developer process, Harris said – writing code that says all requests should use HTTPS, for example, or ensuring that systems don’t store passwords in users’ cookies.

Adding such requirements to a developer’s to-do list, however, is often easier said than done, particularly as today’s deadline-driven environments provide little room, let alone incentive, for enforcing security.

“I think a lot of developers understand that they can’t stop development and that releasing on time is the priority,” Harris said, recognizing that secure code would be essential for those building financial applications, at least.

“But every time we [pen testers] find something, they [developers] know that they have to address it, and that it is going to affect their deadlines.”

Another barrier to IoT security, according to Harris, is a less-than-welcoming infosec industry, which sometimes has the tendency to dismiss a developer’s work without understanding what the application might be used for.

“We’re here to make their product better, not tell them that they’re wrong,” said Harris. “I might rate something as a high-risk vulnerability but, actually, the organization may have controls in place”

Some applications, for instance, might be created for internal purposes with only a few trusted users given access privileges. A lack of information on precautions already taken at a company makes the pen tester’s job less thorough, increasing the chances that more bugs slip under the radar.

Harris thinks that sending developers on security training – and getting pen testers to attend developer conferences – could be a way to smooth out the process, and help get organizations to do testing earlier.

“Doing security testing early is cheaper, which is fantastic, but there are also different ways to test when it’s done earlier,” he said.

“Unit testing, for example, is not something that I’d necessarily do as a pen tester, but it’s one of the ways that developers could test their applications.”

Creating tools to automate security testing at the development stage may be another key factor.

“We have tons of hacker tools for hackers, I think we need more hacker tools for developers,” said Harris, who started his career as a developer.

“A lot of these hacker tools don’t work in the way that developers work, and testing early means is that there’s going to be fewer vulnerabilities when I go to do a pen test.”

Internet of Threats

Limiting vulnerabilities in the growing number of IoT devices – expected to reach 20.4 billion worldwide in 2020, as estimated by Gartner in 2017 – isn’t a dilemma for just the developers to solve.

The British government just yesterday committed a £70 million (approximately $92 million) investment aimed at supporting industry in ‘designing out’ cyber threats – a fund that hopes to create products which will nullify certain vulnerabilities from the get-go.

Announced as part of the UK’s Industrial Strategy Challenge Fund, an additional £30 million has been allocated to the development of securing smart systems – an issue that 62% of consumers believe needs improvement, according to a study from Gemalto.

The UK aims to take the lead in securing global IoT infrastructure by producing a voluntary Code of Practice for industry to implement, relevant to device manufacturers, IoT service providers, mobile application developers, and retailers.

But despite this push for IoT standardization across industry – one that major manufacturers Hewlett-Packard and Centrica Hive have publicly endorsed – enforcing that responsibility still remains a long way off.