IoT: the emerging security challenge · 2020. 3. 25. · fixing in SDLC1 1Jones, C.; Software...
Transcript of IoT: the emerging security challenge · 2020. 3. 25. · fixing in SDLC1 1Jones, C.; Software...
IoT: the emerging security challenge
Considerations for a secure API environment
Razvan Tudor
Chapter Lead IT Security @ ING Software Development Centre
#IoTDS
IoT in numbers
#IoTDS
Out of the ~15 bn devices connected in 2015 almost one third (5bn) represents devices from commercial, industrial and consumer environments
By 2020 forecast is this number will
reach 20 bn out of 30/50 bn devices
while IoT spending will raise to 1 bn
Recent history has shown devices are not immune to cyber threat landscape
IoT security does it worth?
#IoTDS
Not really, it does not make sense. It will take some time before we will see Cyber Attacks involving IoT.
Not feasible. IoT devices cannot be made secure.
IoT should receive the same treatment as traditional IT Security.
What is IoT Security?
Cybercrime in the media
#IoTDS4
Can traditional security work for IoT?
#IoTDS
Information (IT) as well as IoT Security is all about people, technologies and processes BUT IoT Security brings new challenges
IoT ecosystems consists of large numbers of devices, usually fit for purpose with an enormous variety of types of data and information flows
Expected that traditional IT security and new IoT security worlds will merge
Architecture Components
#IoTDS
Network, Device,Platform
Encryption, PKI Analytics
Authentication
API
Business PlatformBusiness
PlatformBusiness PlatformBusiness
Proposition
API
Apps Building Blocks
Infrastructure
Engineering
From API technology…
#IoTDS
An application programming interface (API) is a set of subroutines, protocols, and tools for buildingapplication software.
• Web APIs are the most consumed APIs with JSON, Microservices and RESTful Services representing top technologies used
• It is estimated that more than a quarter of internet traffic comes from API calls
…to attack categories
#IoTDS
Denial of ServiceApplication
VulnerabilitiesPrivileges Functionality
Dyn & Others
Application or
Network
Act as intermediary
(botnet)
Injection
(command, queries,
file, code)
Buffer overflow
XSS, CSRF
JSON Hijacking
Privilege escalation
Unprotected keys
and passwords
Account takeover
Firmware
corruption
Brute forcing
Various abuse
scenarios
(credential)
#IoTDS
One solution: Secure - SDLC
Where is likely to find more code?
#IoTDS
Linux Kernel Modern Car
Windows Operating System Android
Why? Software Complexity
#IoTDS
Irrespective of the figures IoT embedded software complexity is increasing leading to a high demand of software security testing apart from traditional security controls
11
S-SDLC recommended touch points
#IoTDS
Developers TrainingSAST
(Static Application Security Testing)
DAST (Dynamic Application
Security Testing) Pen Testing
• Classroom
• Gameplay
• Integrated IDE checkers
• Security Satellites
• Can identify coding bugs but not design flaws
• False negatives
• Calibration of tool/results
• Does not compensate Pen Test
• Lots of calibration effort
• Good Secure Design + SAST + Pen Testing might save DAST effort
• Keep a balance between effort and results
• Grey Box recommended
• Rotating testers
Secure Design (Threat Modelling)
Solving the issues is easy most of the times
#IoTDS
Cost of fixing a bug in production is 4 times the cost of fixing in SDLC1
1Jones, C.; Software Quality Metrics: Three Harmful Metrics and Two Helpful Metrics, Project Performance International, 6 June 2012
#IoTDS
Lessons learned from the field• Various injection vulnerabilities are all
about input sanitization
• Large scale API consumption requires good API management practices
• Checks and validations are crucial but slowdown performance
• Insecure coding leads to direct object reference issues
• Sometimes is all about headers
• Bruteforcing shall be prevented by design
• CSRF (incl. JSON hijacking) are very common
#IoTDS
Potential solutionsInput & Output
• Type, range, valid chars, length, frequency
• Encoding, whitelisting
API Management• Use API versioning• Response Codes and Error Handling
Checks & Validation• Every call (re)validate (previous) values• Only on GET can skip some validations• Results stored only server-side
#IoTDS
Potential solutions cont’dDirect referencing
• Confidential information avoided in the URL or query string
• API hosted in different (URL) path
Headers• Set correct security headers• Validate CSRF header
Bruteforcing• Banning requests based on IP Address• Limit no of requests per period
CSRF/JSON Hijacking• Validate content type header• Return objects not arrays
#IoTDS
Future of IoT Security (API)
#IoTDS
Future of IoT Security (API)• Most likely traditional IT (Business) Technology will merge with Consumer (IoT)
Technology
• The merge will be facilitate by proliferation of API consumption which will represent one of the biggest security challenges
• Large API numbers and data volumes around API will require a focus on secure development/secure components rather than focus on entire security ecosystem
• Regulation will step in
• Probably security organizations will need to change/adapt
Q&A
#IoTDS