The Cloud Security Alliance on Friday released guidelines for “future proofing” connected devices, with an eye to helping designers of connected products on the Internet of Things adhere to “basic security measures” throughout the development process.
The guide, Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products can be downloaded for free from the Cloud Security Alliance (CSA) web site and is intended as a comprehensive reference for product designers and developers. This in an environment in which poorly designed and secured products are becoming easy prey for cyber criminals and other malicious actors.
The 75-page guide addresses security and privacy issues throughout the entire product lifecycle, with pointers on everything from evaluating the security of various development languages to protecting logical interfaces and Application Program Interfaces (APIs) to securing stored data.
“It is often heard in our industry that securing IoT products and systems is an insurmountable effort,” said Brian Russell, Chair IoT Working Group and Chief Engineer, Cyber Security Solutions with Leidos in a published statement. “However, with the help of our extremely knowledgeable and dedicated volunteers, we are providing a strong starting point for organizations that have begun transforming their existing products into IoT-enabled devices, as well as newly emerging IoT startups. We hope to empower developers and organizations with the ability to create a security strategy that will help mitigate the most pressing threats to both consumer and business IoT products.”
In many areas, the guide is forward looking, addressing IoT issues that already threaten to upset existing security models. For example, the Guide specifically calls out the need for secure and verifiable firmware updates for IoT devices. The guide also asks readers to consider Certificate-Less Authenticated Encryption (CLAE) as an alternative to the traditional Certificate Authority for authenticating IoT endpoints. And authors note Amazon’s use of the OAuth 2.0 standard to secure API level access to the Alexa cloud service. On supply chain security, the guide recommends thorough code analysis for proprietary and open source components that will be integrated into the finished product.
Security issues from Internet connected devices are becoming an acute problem. A recent spate of large-scale denial of service attacks, for example, were launched from global networks of compromised cameras and home routers, according to security experts. Malware like Mirai and Kaiten have been spreading by exploiting software vulnerabilities or configuration weaknesses in a range of devices, including IP cameras, digital video recorders (DVRs) and home routers.