October 2014 marked forty-five years since the very first message was sent over the net – Arpanet (the forerunner of the internet) that is. Back then we didn’t have firewalls; there was nothing to monitor suspicious activity. It was a trusted environment where there was no reason to worry about threat of a data compromise or server hack. The last four decades have brought incredible advances in technology giving rise to the current generation of the internet and what we now know as the World Wide Web.
We have seen the development of complex machines capable of waging war from thousands of miles away, conducting surveillance from hundreds of miles above the earth, and reaching deep into the innermost thoughts of companies and private citizens via the information stored on their computers. But the next generation of Internet will be even more pervasive; the ubiquity of devices connected to Internet will change our lives forever. In a recent study conducted by HP on the Internet of Things, 80% of the devices tested raised privacy concerns and over half were found to be vulnerable to some sort of attack.
Spanning TVs to home thermostats, the Internet of Things (IoT) trend is helping us to be more connected than ever. But the rising number of IoT devices also means we are facing an ever increasing number of security risks. To understand the extent of the threat, HP Fortify, part of the HP Enterprise Security Products organization, conducted the Internet of Things Security: State of the Union study.
The results were clear: 70 percent of the most commonly used IoT devices contained vulnerabilities, including password security, encryption and software protection. And the results highlighted the importance of ensuring that these products have application security built into them from the beginning—making it possible to protect consumers and enterprises by staying ahead of the adversary.
For the study, HP Fortify on Demand was used to test 10 of the most commonly used IoT devices—along with their cloud and mobile application components. In the process we uncovered an average of 25 vulnerabilities per device. These devices included TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage-door openers.
The most common and easily addressable security issues reported included:
– Privacy concerns: 80 percent of the devices tested, along with their corresponding cloud and mobile application components, raised privacy concerns regarding the collection of consumer data such as name, email address, home address, date of birth, credit card credentials and health information.
– Insufficient authorization: 80 percent of IoT devices tested, including their cloud and mobile components, failed to require passwords of sufficient complexity and length. Most devices allowed password such as “1234”.
– Lack of transport encryption: 70 percent of the devices failed to encrypt communications to the internet and local network, while half of the devices’ mobile applications performed unencrypted communications to the cloud, internet or local network — leaving sensitive data vulnerable during its transmission across channels.
– Insecure web interface: 60 percent of devices evaluated raised security concerns with their user interfaces such as persistent XSS, poor session management, weak default credentials and credentials transmitted in clear text. 70 percent of devices with cloud and mobile components would enable a potential attacker to determine valid user accounts through account enumeration or the password reset feature.
– Inadequate software protection: 60 percent of devices did not use encryption when downloading software updates. Some downloads could even be intercepted, extracted and mounted as a file system in Linux where the software could be viewed or modified.
We will see virtually no limit to what “can be known” about anyone or anything. If someone wants to know what food you have in your refrigerator they will skim that information off of the next generation net. Where you have been and where you are going, and who you met there will all be discoverable. In this brave new world where everything is connected, guarding our digital assets by guarding a single endpoint like the drawbridge to the castle will no longer be feasible (actually, it’s not working all that well now). As long as our defenses rely on trying to identify the bad guys and stop them as they come through the door, failure will be inevitable.
Security has to start at the code level. We know that almost all security breaches in the past few years have been due to vulnerabilities in a web or mobile application – best estimates suggest about 86%. That means that most of these breaches could be avoided by simply writing application software that didn’t have bugs in it. Of course, this isn’t as easy as it sounds. There is no such thing as bug-free software. After all, we are only human.
But what if software wasn’t written by humans? We already see widespread use of computers to accelerate software development and the advantages are incredible. One person writing code line by line, at a rate of less than one hundred lines of code per day, might take a year to write even a relatively simple non-graphical application. Today, through extensive use of modular, well-specified APIs, one person with a good understanding of software development can design and create a small but useful application in a day. As this evolution of creating applications through the use of highly automated and mature toolsets continues we will see better to integration of automated design, implementation, and testing. With this evolution we will see a new level of maturity in the field of application security assurance. No longer will we need to write code while checking a list of do’s and don’ts for secure coding.
Someday, the need to have someone test our code as a last gateway before it gets rolled off the production line will be an anecdote in history. Just how will we accomplish this? The key is to test our code as it is being developed. The sooner a known vulnerability is identified the better. In other words, the more often we test the code the better the chances are that it will be free of known vulnerabilities when it goes out the door. It’s that simple. And this simple but arduous task is precisely what computers are good at, and getting better at all the time. As the ability to automate software development improves, including testing for security flaws, we will see less and less need for the type of human involvement in writing and testing code. In fact, computers will be much faster and produce better results, making the manual aspects of software development an anachronism. As the task, and the responsibility, for creating software and the tools that test it shifts more and more to computers, we will see a shift in the ability to create bug-free software.
Automating application security testing will not be an option, it will be a necessity. Face it, computers are better at some things than humans. Hiring security testers to manually test your application will be a thing of the past, they will not be able to keep pace with current technological advances. The only way to thoroughly test applications is by leveraging the application security expertise of a human empowered by best of breed automated software testing tools. Automation will be key. Automate your processes. Automate your software development. Automate your testing.