Recent security incidents exploiting weaknesses in Internet of Things (IoT) devices have demonstrated that software assurance is no longer just an issue for traditional information technology suppliers and end user organizations. Here’s why:

  • Recent attacks have shown that connected devices can be exploited to launch large scale attacks
  • Connected Internet-of-Things (IoT) devices cannot hide their security weaknesses
  • Ensuring that the software running on a connected device is secure is critical both for the security of the device and for the security of the rest of the Internet

SAFECode believes that organizations must work together to prevent further attacks. This sort of collaboration will change the industry in two key ways:

  1. Technology companies will look to align across their organization, with end users and with other companies facing similar threats:

    SAFECode is helping technology companies develop software using a more robust, secure software development process. As a result, software developed in the future will be more resilient to security attacks. While attackers continue to become more sophisticated in finding vulnerabilities and we still have work to do, I’m confident that through continued industry knowledge-sharing and training we will continue to improve the security of the software we build. Examples of resources to support this goal include our training materials and publications.

  2. Security best practices should be integrated into development proactively not as an afterthought:

    As with any other computing platform, proactively developing secure software for connected devices is the foundation of IoT security. Secure development cannot be done effectively as an afterthought. Attackers can potentially bypass network security controls by exploiting the software running on connected devices. As a result, it is critical that anyone involved in defining, designing, developing or testing software-based products or applications, adopts fundamental practices for secure software development and receives proper security training.

While we cannot eradicate all vulnerabilities from the software that powers our systems, we can take steps to significantly reduce the number of vulnerabilities and their impact. These steps start by building security into the processes we use to design, develop, test and deploy the systems we use to power our IT infrastructure. SAFECode’s free, on-demand training courses are a great resource to build and apply secure development practices outlined in SAFECode’s Fundamental Practices for Secure Software Development document.

# # #