October 2015
14
T
ools
& S
oftware
The needed impact of the IoT
on software engineering
By Marc Brown,
GrammaTech
The Internet of Things is
a paradigm impacting our daily life for
good or bad. IoT software needs
security by design, therefore it is
a business imperative. Manufacturers
must evaluate the cyber threats and
level of exposure of IoT devices,
implementing all necessary design
checks and countermeasures against
the accelerating set of menaces.
Powered by the forces of the cloud, con-
nected endpoints, wireless technologies, and
big data, the Internet of Things (IoT) evolu-
tion is forming a perfect storm. This single,
transformative force is bigger than anything
in the history of the tech industry, fuelling an
unparalleled consumer-oriented features race,
expected to advance at an incredible rate over
the next decade.
And why not? Vendors are racing to claim a
piece of the predicted 8.9-trillion-dollar IoT
market by 2020, made up of more than 50 bil-
lion IoT devices spanning nearly all markets
– automotive, energy/utilities, home appliance,
consumer electronics, medical, education,
manufacturing, and more. Although very
exciting to the consumer, this race for IoT
superiority also brings to light a significant
dark side.
Current manufacturers are still develop-
ing products using old and entrenched sup-
ply chain, engineering, and QA processes
that weren’t designed for the complexities of
highly-connected smart devices nowadays.
Likewise, engineering teams are utilizing an
increasingly diverse set of suppliers and rely-
ing on third-party software where possible to
save developer time, all while trying to satisfy
the business and market thirst for these new
capabilities. Unfortunately, many software
development teams treat security as an after-
thought, running only basic checks, if any,
during their QA cycle.
This confluence of drivers – the lack of a
security-first engineering philosophy, the
increased use of third party software, and the
continually growing time-to-market pres-
sures from business executives complacent
about IoT security – will continue to put us in
an ever-increasing tough spot, ripe for cyber
criminals and nation states looking to exploit
these connected devices and networks. These
software vulnerabilities have already put con-
sumer safety and privacy at risk, increasing
corporate liabilities, eroding trust, and in
some cases, shutting down critical public and
industry services.
The fact of the matter is that nowadays smart
devices are anything but smart. One recent
study found that 70% of the top 10 IoT smart
devices are vulnerable to exploitation. The
daily onslaught of news reports regarding new
devices, appliances, and systems that have
been hacked includes stories that are quite
terrifying, such as hackers remotely taking
control of an automobile through its wireless
hot spot connection and successfully com-
manding brakes and other critical systems.
So how do we evolve manufacturing pro-
cesses to better protect our next-generation
IoT devices? It starts with a sound plan that
includes next-generation software assurance
and a security-first methodology. Teams need
to rethink how they deliver software quickly –
with security, safety, and quality in mind from
design to deployment. To do this successfully,
teams must leverage new tools that help them
more efficiently analyze the software they
are developing – including both source and
binary code.
New levels of software integrity can only be
achieved if teams are able to eliminate both
accidental coding errors and intentional
design-in vulnerabilities, through efficient
analysis techniques suitable for actual highly
complex applications. Teams can start by:
mandating the use of source code analy-
sis across their development teams – during
development, quality assurance, and security
auditing, utilizing binary analysis for third-
party code analysis, and developing with a
security-first philosophy.
As IoT applications become more feature-rich,
with additional elements of internet-con-
nectivity and device intelligence, the risks of
built-in security vulnerabilities are increasing.
Despite this trend, awareness of the risks asso-
ciated with insecure code is still low among
IoT developers and QA teams, and not a pri-
ority with most management teams.
