Internet of things are exploding. This whitepaper would help product developers to understand the Security and Privacy issues, their impact and a recommendation for embedding the best practices during PDLC.
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
Â
Internet Society (ISOC) aims are:
make security an integrated function of connected objects and encourages IoT device and service providers for consumers to adopt the Online Trust Alliance (OTA) security and privacy principles ;
increase the consumer demand for security and privacy in the IoT devices they purchase;
create government policies and regulations that promote better security and privacy features in IoT devices.
Internet of Things means every household or handy device which is used to make our world easy and better and connected with IP which transmit some data.
This slide covers IOT description, OWASP Top 10 2014 & its recommendations.
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...CableLabs
Â
As IoT insecurity creates vulnerabilities, policymakers become concerned about the health of the Internet. How can public policy address these concerns in a smart way, targeting their efforts to improve IoT security without imposing unnecessary costs across the Internet ecosystem or creating unintended effects? What is the role of government versus industry?
Jason Livingood
Vice President, Technology Policy & Standards, Comcast
https://www.cablelabs.com/informed/
An overview of security and privacy challenges that must be faced and solved when creating new Things for the Internet of Things. We discussed why are Things inherently insecure together with examples of attack vectors and learned some risk mitigation strategies. We realized why should users be wary of Things violating their privacy and gained awareness of upcoming EU privacy legislation that affects providers of IoT-based solutions. Talk given at Pixels Camp 2017, Lisbon.
The IoT Era Begins
Components of IoT-Enabled Things
IoT Reference model
IoT Security
IoT Security & Privacy Req. defined by ITU-T
An IoT Security Framework
IoT Security Challenges
Internet of Things - Liability
IoT security tools
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
Â
Internet Society (ISOC) aims are:
make security an integrated function of connected objects and encourages IoT device and service providers for consumers to adopt the Online Trust Alliance (OTA) security and privacy principles ;
increase the consumer demand for security and privacy in the IoT devices they purchase;
create government policies and regulations that promote better security and privacy features in IoT devices.
Internet of Things means every household or handy device which is used to make our world easy and better and connected with IP which transmit some data.
This slide covers IOT description, OWASP Top 10 2014 & its recommendations.
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...CableLabs
Â
As IoT insecurity creates vulnerabilities, policymakers become concerned about the health of the Internet. How can public policy address these concerns in a smart way, targeting their efforts to improve IoT security without imposing unnecessary costs across the Internet ecosystem or creating unintended effects? What is the role of government versus industry?
Jason Livingood
Vice President, Technology Policy & Standards, Comcast
https://www.cablelabs.com/informed/
An overview of security and privacy challenges that must be faced and solved when creating new Things for the Internet of Things. We discussed why are Things inherently insecure together with examples of attack vectors and learned some risk mitigation strategies. We realized why should users be wary of Things violating their privacy and gained awareness of upcoming EU privacy legislation that affects providers of IoT-based solutions. Talk given at Pixels Camp 2017, Lisbon.
The IoT Era Begins
Components of IoT-Enabled Things
IoT Reference model
IoT Security
IoT Security & Privacy Req. defined by ITU-T
An IoT Security Framework
IoT Security Challenges
Internet of Things - Liability
IoT security tools
We did not predict the Internet, the Web, social networking, Facebook, Twitter, millions of apps for smart-phones, etc. New research problems arise due to the large scale of devices, the connection of the physical and cyber worlds, the openness of the systems of systems, and continuing problems of privacy and security. It is hoped that there is more cooperation between the research communities in order to solve the myriad of problems sooner as well as to avoid re-inventing the wheel when a particular community solves a problem.
Internet of Things (IoT) will enable dramatic society transformation. This seminar presents an introduction to the IoT and explains why IoT Security is important.
Then it presents security issues in wireless sensor networks that constitute a main ingredient of IoT.
Seminar given at Centre Tecnològic de Telecomunicacions de Catalunya (CTTC) on 28 January 2015.
The growth of embedded systems connecting to the Internet or "Internet of Things" (IoT) increases year by year. Thus, the IoT ecosystems become new targets of the attackers. This presentation will talk about the basic principle of information security, why we need to secure IoT ecosystems, and also the vulnerabilities and solutions from OWASP.
As a novel computing platform in network, IoT will bring many security challenges to enterprise networks, and create new opportunities for security industry. This talk will provide a general overview of enterprise network security problems, especially the data security, caused by IoT. After that, a few existing security technologies are evaluated as necessary elements of a holistic network security that cover IoT devices. These technologies include : (a) IoT security monitoring and control; (b) FOTA for firmware vulnerability management; (c) NetFlow based big data security analysis. In the end, the practice of standard security protocols (such as OpenIoC and IODEF) will be strongly advocated for delivering effective IoT security solutions.
The session with highlight Intelâs vision for IoT Security and the fundamental building blocks and capabilities Intel and the ecosystem are providing to organizations to build security in from design through deployment and maintenance.
Yesterday Pierluigi Paganini, CISO Bit4Id and founder Security Affairs, presented at the ISACA Roma & OWASP Italy conference the state of the art for the Internet of Things paradigm. The presentation highlights the security and privacy issues for the Internet of Things, a technology that is changing userâs perception of the technology.
IOT Security. Internet of Things impact is everywhere from your bedroom to office. Everyone should be aware about iot security to run it without any hassle and security risk.
Why you should take IOT security training course ?
Learn about risks of unsecured enterprise and home IoT devices connecting to the Internet and able to share the information they generate.
Iot security training covers these topics :
Device and platform vulnerabilities,
Authentication and authorization,
Web interface and software,
Transport encryption,
Management issues,
Privacy and security enhancements and other iot issues
Iot and security risks :
Most serious IoT security risks involve software. Software attacks can exploit entire systems, steal information, alter data, deny service and compromise or damage devices.
In a phishing attack, for example, Attackers also use malware, such as viruses, worms and Trojans, to damage or delete data, steal information, monitor users and disrupt key system functions.
Learn about:
IoT Principles
Principles of IoT Security
IoT Attack Areas
IoT Vulnerabilities
IoT Firmware Analysis
IoTÂ Software Weaknesses
IoT Security Verification, Validation
Assessing IoT devices attack surfaces
Evaluation of IoT device firmware analysis, attack surface, vulnerabilities and exploiting the vulnerabilities
Request more information.
Visit tonex.com for iot security training course and workshop detail.
https://www.tonex.com/training-courses/iot-security-training-iot-security-awareness/
This presentation discusses about IoT, challenges associated with it, common threats to IoT. It also briefs about how OWASP introduces Vulnerabilities in IoT.
Internet of Things (IOT) in simple terms we can describe the iot with a definition it is "A virtual world with a physical touch" it is connected with every thing that are related to the magnetic waves.
It is a new innovation in the era of technology that can change the face of technology and even we can see the change around us.
Please do like and comment
The Internet of Things (IoT), sometimes referred to as the Internet of Objects, IoT is basically a complex network that seamlessly connects people and things together through the Internet. Theoretically, anything that can be connected (smart watches, cars, homes, thermostats, vending machines, serversâŚ) and will be connected in the near future using sensors and RFID tags. This allows connected objects to continuously send data over the Web and from anywhere. The first time the term was used in 1999 by Kevin Ashton, the creator of the RFID standard.
IoT Security â Executing an Effective Security Testing Process EC-Council
Â
Deral Heiland CISSP, serves as a the Research Lead (IoT) for Rapid7. Deral has over 20 years of experience in the Information Technology field, and has held multiple positions including: Senior Network Analyst, Network Administrator, Database Manager, Financial Systems Manager and Senior Information Security Analyst. Over the last 10+ years Deralâs career has focused on security research, security assessments, penetration testing, and consulting for corporations and government agencies. Deral also has conducted security research on a numerous technical subjects, releasing white papers, security advisories, and has presented the information at numerous national and international security conferences including Blackhat, Defcon, Shmoocon, DerbyCon, RSAC, Hack In Paris. Deral has been interviewed by and quoted by several media outlets and publications including ABC World News Tonight, BBC, Consumer Reports, MIT Technical Review, SC Magazine, Threat Post and The Register.
INTRODUCTION
IoT history
IoT world
IoT in Gartner Hype cycle
IoT economic impact and trends
ABOUT IoT
What is IoT ?
IoT market environment
Technologies behind IoT
IoT global roadmap
What is IoT ?
IoT market environment
Technologies behind IoT
IoT global roadmap
APPLICATIONS OF IoT
Selection of impacting examples
IS IoT FOR YOU?
List of questions to help you moving forward!
Why should you start exploring IoT opportunities?
Preliminary questions before jumping in (Skills, assetsâŚ)
We did not predict the Internet, the Web, social networking, Facebook, Twitter, millions of apps for smart-phones, etc. New research problems arise due to the large scale of devices, the connection of the physical and cyber worlds, the openness of the systems of systems, and continuing problems of privacy and security. It is hoped that there is more cooperation between the research communities in order to solve the myriad of problems sooner as well as to avoid re-inventing the wheel when a particular community solves a problem.
Internet of Things (IoT) will enable dramatic society transformation. This seminar presents an introduction to the IoT and explains why IoT Security is important.
Then it presents security issues in wireless sensor networks that constitute a main ingredient of IoT.
Seminar given at Centre Tecnològic de Telecomunicacions de Catalunya (CTTC) on 28 January 2015.
The growth of embedded systems connecting to the Internet or "Internet of Things" (IoT) increases year by year. Thus, the IoT ecosystems become new targets of the attackers. This presentation will talk about the basic principle of information security, why we need to secure IoT ecosystems, and also the vulnerabilities and solutions from OWASP.
As a novel computing platform in network, IoT will bring many security challenges to enterprise networks, and create new opportunities for security industry. This talk will provide a general overview of enterprise network security problems, especially the data security, caused by IoT. After that, a few existing security technologies are evaluated as necessary elements of a holistic network security that cover IoT devices. These technologies include : (a) IoT security monitoring and control; (b) FOTA for firmware vulnerability management; (c) NetFlow based big data security analysis. In the end, the practice of standard security protocols (such as OpenIoC and IODEF) will be strongly advocated for delivering effective IoT security solutions.
The session with highlight Intelâs vision for IoT Security and the fundamental building blocks and capabilities Intel and the ecosystem are providing to organizations to build security in from design through deployment and maintenance.
Yesterday Pierluigi Paganini, CISO Bit4Id and founder Security Affairs, presented at the ISACA Roma & OWASP Italy conference the state of the art for the Internet of Things paradigm. The presentation highlights the security and privacy issues for the Internet of Things, a technology that is changing userâs perception of the technology.
IOT Security. Internet of Things impact is everywhere from your bedroom to office. Everyone should be aware about iot security to run it without any hassle and security risk.
Why you should take IOT security training course ?
Learn about risks of unsecured enterprise and home IoT devices connecting to the Internet and able to share the information they generate.
Iot security training covers these topics :
Device and platform vulnerabilities,
Authentication and authorization,
Web interface and software,
Transport encryption,
Management issues,
Privacy and security enhancements and other iot issues
Iot and security risks :
Most serious IoT security risks involve software. Software attacks can exploit entire systems, steal information, alter data, deny service and compromise or damage devices.
In a phishing attack, for example, Attackers also use malware, such as viruses, worms and Trojans, to damage or delete data, steal information, monitor users and disrupt key system functions.
Learn about:
IoT Principles
Principles of IoT Security
IoT Attack Areas
IoT Vulnerabilities
IoT Firmware Analysis
IoTÂ Software Weaknesses
IoT Security Verification, Validation
Assessing IoT devices attack surfaces
Evaluation of IoT device firmware analysis, attack surface, vulnerabilities and exploiting the vulnerabilities
Request more information.
Visit tonex.com for iot security training course and workshop detail.
https://www.tonex.com/training-courses/iot-security-training-iot-security-awareness/
This presentation discusses about IoT, challenges associated with it, common threats to IoT. It also briefs about how OWASP introduces Vulnerabilities in IoT.
Internet of Things (IOT) in simple terms we can describe the iot with a definition it is "A virtual world with a physical touch" it is connected with every thing that are related to the magnetic waves.
It is a new innovation in the era of technology that can change the face of technology and even we can see the change around us.
Please do like and comment
The Internet of Things (IoT), sometimes referred to as the Internet of Objects, IoT is basically a complex network that seamlessly connects people and things together through the Internet. Theoretically, anything that can be connected (smart watches, cars, homes, thermostats, vending machines, serversâŚ) and will be connected in the near future using sensors and RFID tags. This allows connected objects to continuously send data over the Web and from anywhere. The first time the term was used in 1999 by Kevin Ashton, the creator of the RFID standard.
IoT Security â Executing an Effective Security Testing Process EC-Council
Â
Deral Heiland CISSP, serves as a the Research Lead (IoT) for Rapid7. Deral has over 20 years of experience in the Information Technology field, and has held multiple positions including: Senior Network Analyst, Network Administrator, Database Manager, Financial Systems Manager and Senior Information Security Analyst. Over the last 10+ years Deralâs career has focused on security research, security assessments, penetration testing, and consulting for corporations and government agencies. Deral also has conducted security research on a numerous technical subjects, releasing white papers, security advisories, and has presented the information at numerous national and international security conferences including Blackhat, Defcon, Shmoocon, DerbyCon, RSAC, Hack In Paris. Deral has been interviewed by and quoted by several media outlets and publications including ABC World News Tonight, BBC, Consumer Reports, MIT Technical Review, SC Magazine, Threat Post and The Register.
INTRODUCTION
IoT history
IoT world
IoT in Gartner Hype cycle
IoT economic impact and trends
ABOUT IoT
What is IoT ?
IoT market environment
Technologies behind IoT
IoT global roadmap
What is IoT ?
IoT market environment
Technologies behind IoT
IoT global roadmap
APPLICATIONS OF IoT
Selection of impacting examples
IS IoT FOR YOU?
List of questions to help you moving forward!
Why should you start exploring IoT opportunities?
Preliminary questions before jumping in (Skills, assetsâŚ)
What exactly is the Internet of things??
The Internet of Things (IoT) is a scenario in which objects, animals or people are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
Privacy on the Series of Tubes of ThingsEFF-Austin
Â
Created and presented by Todd Manning for the EFF-Austin Meetup on November 17, 2014 at Capital Factory in Austin, Texas.
https://www.youtube.com/watch?v=OiLpe3--ZB8
Privacy, the Internet of Things and Smart Cities Lilian Edwards
Â
Updated version of my paper, delivered Florence spring 2016. How can we obtain consent to sharing of personal data in a ubiquitous/ioT environment? is it possible given the requeirements of the GDPR and E-Privacy Directive?
Privacy and Security in the Internet of ThingsJeff Katz
Â
Jeff Katz from KIWI discusses topics relating to Privacy and Security in the Internet of Things. What you should do, what you should never do, and what to avoid becoming. From the IoT Conference September 2015 in Berlin
How Internet of Things (IoT) is Reshaping the Automotive Sector - InfographicHARMAN Services
Â
"The cars from science fiction movies are coming to reality. Customers are waiting to discover their own car based âsiriâ or âcortanaâ or dare we say âJarvisâ (for the inner Iron Man in them).
In a software defined world, silicon valley seems to be at par with Detroit in innovating car based experiences through internet of things (IoT). Starting with Google, and its pioneering effort in rewriting the rules of driverless cars, connected automobiles are steadily making their way into automotive market.
And the future is set for the IoT connected cars to lead and thrive in this innovation hungry world. Park Associates estimates that a whopping 78% car owners will demand connected features in their next vehicle.
We created an infographic which lucidly shows how connected cars are going to shape the future of driving and transport. Check it out! "
A review of the current and future trends in cyber-security, how the law may treat a breach of cyber-security and what you can do to minimise your exposure.
A seminar presentation on Open Source by Ritwick Halder - a computer science engineering student at Academy Of Technology, West Bengal, India - 2013
Personal Website - www.ritwickhalder.com
The internet of things (io t) : IoT academy AnkitThakkar46
Â
The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
âThe Internet of Things (IoT) is a system of
interrelated computing devices, mechanical and
digital machines, objects, animals or people that
are provided with unique identifiers and the
ability to transfer data over a network without
requiring human-to-human or
human-to-computer interaction.â
12 IoT Cyber Security Threats to Avoid - CyberHive.pdfonline Marketing
Â
As IoT (Internet of Things) devices weave into the fabric of our daily lives, from smart thermostats to connected cars, the need for robust IoT cyber security measures has never been more pressing. Letâs dive into 12 IoT cyber security threats that pose significant risks and offer guidance on navigating these digital waters safely. please visit: https://www.cyberhive.com/insights/12-iot-cyber-security-threats-to-avoid/
F5 Networks: The Internet of Things - Ready InfrastructureF5 Networks
Â
The world of smart devices talking to each otherâand to usâis well
underway and here to stay. To connect to the Internet of Things
opportunity, itâs key to design and build networking infrastructures that can handle massive amounts of new data.
Internet of things (IoT) Architecture Security AnalysisDaksh Raj Chopra
Â
This Document Briefly summarizes the Security and Privacy Concern Evaluation of Internet of Things (IoT)âs Three Domain Architecture. The Security implementation challenges faced
by IoT devices are addressed along with newly Added Requirement for these devices. The Architecture which we will be using throughout our analysis is explained so as to a novice
user. We will summarize the possible attacks and countermeasures for each and every domain followed by a developer friendly checklist to be followed for security.
The Internet of Things (IoT) is thriving network of smart objects where one physical object can exchange information with another physical object. In todayâs Internet of Things (IoT) the interest is the concealment and security of data in a network. The obtrusion into Internet of Things (IoT) exposes the extent with which the internet of things is vulnerable to attacks and how such attack can be detected to prevent extreme damage. It emphasises on threats, vulnerability, attacks and possible methods of detecting intruders to stop the system from further destruction, this paper proposes a way out of the impending security situation of Internet of things using IPV6 Low -power wireless personal Area Network.
Cybersecurity stands as the bedrock of our digital world, safeguarding systems, networks, and data from a rising tide of cyber threats. In the era of the Internet of Things (IoT), wherean ever-expanding array of devices and objects are seamlessly interconnected, the importance of cybersecurity has escalated to unprecedented levels.
Similar to Security and Privacy considerations in Internet of Things (20)
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
Â
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. Whatâs changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Â
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
Â
As AI technology is pushing into IT I was wondering myself, as an âinfrastructure container kubernetes guyâ, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefitâs both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
Â
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Â
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But thereâs more:
In a second workflow supporting the same use case, youâll see:
Your campaign sent to target colleagues for approval
If the âApproveâ button is clicked, a Jira/Zendesk ticket is created for the marketing design team
Butâif the âRejectâ button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
Â
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Dev Dives: Train smarter, not harder â active learning and UiPath LLMs for do...UiPathCommunity
Â
đĽ Speed, accuracy, and scaling â discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Miningâ˘:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing â with little to no training required
Get an exclusive demo of the new family of UiPath LLMs â GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
đ¨âđŤ Andras Palfi, Senior Product Manager, UiPath
đŠâđŤ Lenka Dulovicova, Product Program Manager, UiPath
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Â
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Â
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as âpredictable inferenceâ.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Â
Clients donât know what they donât know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clientsâ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Â
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
Â
Security and Privacy considerations in Internet of Things
1. Security & Privacy Considerations in
Internet of Things
Somasundaram Jambunathan
2. 1 Introduction
Today in the Digital world, the Internet of things (IoT) explodesupbeating Mooreâs law. Within few quarters we
are going to have fewmillionsdevices converted many billionsof devices which may potentially grow to trillions
by 2020. These billion and trillions of devices would be instrumenting and controlling the real world through
various sizes of softwareâs and differentservices, to augment them and to make our lives easier and potentially
transforming and dictating us on how do we live, work and play.
Yes, welcome to the home of IoT â unmaintained, insecure tiny Billions and Trillions of interconnected devices
interacting and leveragingadvanced analytics and predictive algorithms to ensure better service quality. Thought
it can provide innovative opportunity in areas like Smart City, Smart Energy, Smart Agriculture, Retail, E-Health
to build multi scale products with its exponential benefits, it also comes with the lingering possibility of large
scale exploitation of the system leading to potential economic, technological, and societal damages.
2 Criticality of Security and Privacy in IoT
IoT is making sure that world around us is hooked to each and every other things / devices, which will allow
efficienciesof exquisite degree. For an example, in smart agriculture we can reduce the power consumption by
watering the plants / crops only when the bio sensors implanted in the soil alarms for water needs, this saves
water, power and increase the crops yield.IoT Sensors will also allow you and your physician to track your blood
chemistry, Insulin level for diabetics and digestion in real time on E-Health systems.
But if these connected systemsare hacked where mostly privacy is also involved, people canhack your movement
across city roads, provide false alarms at your home and also can make your E-Health systems like insulinpumps,
glucose monitors and pacemakers to work differently denying life critical real events causing physiological
damages to the wearer or users of such devices.
The tinydevicesthat makes most of the IoT Systems isa world of heterogeneous embeddeddevicesthat intersect
with the enterprise network exacerbating huge amount of user data and events creating the possibility of new
service and product lines can cause physical, physiological damage thorugh stealth and persistent online attacks
Security and Privacy experts were stunned on the attack that was reported to had happened between 23rd Dec
2013 and 6th Jan 2014 where more than 100,000 Smart TVs, Refrigerator, and other smart household appliances
compromised by hackers to send out 750,000 malicious spam emails typically sent in bursts of 100,000, three
timesper day, targeting Enterprises and individualsworldwide.Thisfirsthome appliance âbotnetâ â an hack which
involvescomputers that appear to be functioning normally but are secretly controlled by cyber criminals are the
network mesh of many tiny devices that are poorly protected and consumers have virtually no way to detect or
3. fix infections when they do occur. Enterprises that provided services using IoT may find distributed attacks
increasing as more and more of these devices come online and attackers find additional ways to exploit them.
3 How IoT is structured
Though there are many layers that can be derived into this ecosystem on various use cases, we can collate them as..
1) Sensing Nodes: Senses data and has ability to collect them
2) Local Processing Nodes - Layers of local embedded processing capability (local embedded processing nodes)
3) Connectivity Nodes - Wired and/or wireless communication capability ()
4) Services Nodes - Software to automate tasks and enable new classes of services
5) Solution Nodes â Domain specific solutions that would directly interact with end users.
4 Challenges posed by growing IoT Ecosystem
The exponential growth of the devices and endpoints in the IoT ecosystem has resulted into a variety of
challenges being posed in front of the researchers such as:
1. Things / Device Ecosystem Diversity
With a host of new ecosystems and tons of existing ones appearing every day, consistency of host devices is a big
challenge.
2. Device Internet Bandwidth (Consumption Constraint)
Although IPv6 addresses the exhaustion problem of IPv4, the transition time and complexity are still on higher side.
3. Devices Threats
Devices that are installed can be Cloned, replaced, Modified or stolen, as mostly they are placed in remote locations or
affect the humans physiologically for certain behavior.
4. Information security and privacy
4. With a surge in the number of devices participating in handling sensitive information, privacy enhancing technologies
(PET) must form the core of any IoT design.
5. Data Integrity/Access Control
With data travelling across diverse devices, it is important to establish the contextual integrity of data
6. Breakdown immunity
With a breakdown potentially affectingmillions of people, fallback mechanisms must be developed for damage control
7. Establishing object trust/traceability
Since the data flows through multiple checkpoints and inter-device boundaries, it may be difficult to trust and trace a
specific part of data
8. Data reuse
The data in an IoT network travels across multipledeviceboundaries which raises thepossibility of it being used outside
of the intended authorization
9. User maneuverability
With a large amount of user data shared for the IoT services of a provider, data migration would be a
Challenge
10. Loss of human control
As technology develops, more predictive algorithms will result in autonomous operation of systems which would
subsequently make human intervention difficult
11. Legal operability
As multinational organizations provide geographically dispersed data and information services, compliance of
local/national/international laws may be a hurdle
Apart from the above parameters, IoT operates on low cost innovative solutions, primarily runs on variety of
cheap sensors that is used to monitor everything. Technology advancements and increased computing power,
plus declining hardware costs and free software tools widely available on the Internet have contributed to an
increased number of security risks.
Though there are relativelymany blocks that needsto be addressed and prioritized, Privacy and Security are seen
as the key technical blocks needed.
5 Why IoT Security and Privacy are Difficult?
ď Firmware / Software
o Mostly customized OS resides and so no best security controls in place.
5. o They are independent and can be modified or attacked easily at all levels â firmware, OS,
middleware,
o Raw firmware or data between lines can be decompiled to extract credentials as they are in
remote locations
o Can be exhausted that means denial of serviceâs
ď Communication
o Lots of Wi-Fi, BTH or Zigbee based devices in IOT sending information in parallel
o Eavesdropping
o Man-in-the-middle attacks
o Rerouting traffic
o Theft of bandwidth
ď Physical insecurity â Mostly Devices or Things are placed in remote locations where there is no physical
control or possession. E.g., sensors placed in public locations, or in buildings with lots of people nearby
or Soil sensors in Agriculture.
ď Constrained devices â devices units are constrained to enforce security controls or do heavy-weight
cryptography as they have less power, bandwidth and memory
ď No clear standard and no geo / Global regulations. Mostly there are no âbest practiceâ solution as most
of them are ADHOC.
ď Highly mesh network devices / things means that we have possibilityof âweakest link.This might be the
entry point to any hackers
ď As there are many contributors like people, hardware, software, systems, businesses, and more, the
solutions to a problem doesnât just contrained to a module, rather to the entire system
ď When exposedto internet, we might have classic web threats to deal with â XSS, CSRF, content injection,
etc
ď Product designers think security functionality costs more by time to develop, market and so is
inconvenient for an example buying sensors and constrained devices with encryption coprocessors is
expensive and hard.
6 Implementation Failures in IoT Products
As most of the IoT related products flood in market are from startupâs that has innovative concepts, but lack in
time and budget they wish to override product lifecycle.Below is the list of commonly found failures which are
usually seen in most of the IoT products. Though certain enterprises have a hard guidelines, few of these are
overridden there due to common framework usage both on Hardwareâs and Softwareâs.
ď Unencrypted Storage of Customer Data
ď Hardcoded Web Service Credentials
ď Passive Customer Sign up for 3rd Party Services
ď unencrypted Local Video Streaming
ď Information Leakage
ď Poor Password Security
ď Nemours Network Services
ď Failure to properly implement HTTP Digesy
ď Long Life (Clear Text) API tokens
ď Open Internet proxy
ď Lack of Authentication of Customer Data
ď Poor Mobile Security
ď Generic ODM firmware
ď Clear-Text API calls
ď Passive Wi-Fi recon
ď File Deletion control broken
ď hard corded OS credentials
6. 7 Security Solution Considerations for IoT
Security at both the Device and Network levels are critical to the operation of IoT. The same intelligence that
enables devices to perform their tasks must also enable them to recognize and counteract threats. Fortunately
as the components in this ecosystem is not in need of any revolutionary security testing approach, but rather an
evolution of measures that have proven successful in IT networks, hardware devices, middle layers, adapted to
the challenges of IoT and to the constraints of connected devices. Instead of searching for a solution that does
not yet exist, or proposing a revolutionary approach to security, we should focus on identifying and delivering
the current state-of-the-art IT security controls, optimized to address extremely complex IoT Ecosystem.
The above pictures helps us to understand various blocks that helpsto acquire, process, analyze and monitor the
data / events within the ecosystem at various levels. But for better understanding, we wish these blocks are
categorized to various pillars to display the impact of the security breaches that can happen at each pillar and
ways towards mitigation.
These pillars translate to:
7. 1. Transport Security: To provide the appropriate level of identification, privacy, and integrity to network
communication.
2. Storage Security: Provides appropriate level of protection to persistent data held on the device or within
the system.
3. Software Platform Security and Implementation: Select and implement platforms and supporting
technologies that provide a robust and layered environment upon which to build the solution easily and
quickly.
4. Functionality Security and Implementation: Implement functionality using a technology stack and tools
which enable it to be done so in a secure fashion.
5. Logging, Auditability, and Forensics Enablement: Concrete sources of logs from low-level and high-level
software components which facilitate investigation of misuse.
6. Sustainability and Upgradeability: features which facilitate the ability to securely upgrade deviceswhen
vulnerabilities are discovered after release.
7. Hardware Platform Security: ensuring the hardware platform provides the required security features.
8. Managing and Monitoring: ensuring that IoT devices can be securely managed and monitored.
The following table summarizes the security threats we identified above and the potential point of
vulnerabilitiesat differentlayers of the communication stack. We also include related RFCs that include a threat
model that might apply to the IoTs.
Manufacturing Installation/Commissioning Operation
Things Model Device Cloning Substitution
Privacy threat Extraction of
security params
Application Layer RFC2818, RFC4016
RFC2818, Firmware
replacement
Transport Layer
Eavesdropping Man-in-the-
middle RFC4919, RFC5713,
RFC3833, RFC3756
Eavesdropping Man-in-the-
middle
Network Layer
RFC4919, DoS attack
Routing attack RFC3833
Physical Layer DoS attack
This above table emphasize that we need to consider security at all layers and pillarsof the ecosystem. To make
sure we have complete coverage of the security and Privacy in IoT, we believe that we should start early and it
should be part of the entire product lifecycle starting form ideation to maintenance while the product sustains in
the market for many years.
In the following section we outline for implementers the types of cyber-security-supporting decisions and
activities that it is recommended should occur during the differentproduct lifecycle phases. The purpose of this
is to provide practical advice and guidance to help ensure cyber-security is both presented and considered
throughout the development of the product, while also providing technical considerations for implementers.
8. Below we would be discussing on how we can travel through this product lifecycle on its various phases and we
would be outliningSecurity mechanisms that needs to be considered and decisionsthat needsto be done at that
level that would help the product developers and Quality Engineering experts.
7.1 Phase 1: Concept Design, Market Analysis, Competitive Analysis, and Research
This phase would be the most crucial phase as it will provide very high-level inputs on the overall product and
the security considerations to be done and its viability. We would perform
1. Analyze on the product market, geo specific regulatory, legislative, physiological privacy and security
insight and research.
2. Understand the other competitorâs products on the security and privacy capability and market
differentiators and make sure those implementations also make our product viable to sell.
7.2 Phase 2: Requirements and Stories
1. Provide high-level market and technical cyber-security requirements and stories.
2. Reviewother requirementsto identifypotential security risks and exposures, understanding they may be
acknowledged and accepted and the risk born due to overriding factors.
7.3 Phase 3: Design, Architecture and Technology Stack Selection
This phase involves multiple components like Hardware, Firmware for those specific hardwareâs and Product
specific Software with middleware interfaces. Product Managers has to decide on the Design considerations for
hardware and software mode, but equally Functional Requirement and its architecture should be able to adapt
the Geo Specific and Product Specific Security and Privacy needs for today and future needs. Below are certain
brief description that needs to be used to make decision in this phase.
7.3.1 Hardware
1. Verify if the Device / Things has Trusted or verified Boot option
2. Hardware Accelerated Cryptography needs to be considered, which might reduce the Software
dependency and related risk
3. Privilege levels, rings or domains needs to be defined and used
4. Trusted execution on the secured memory for the firmware.
5. Access needs to be verified on DMA â Direct Memory Access, IO â Input Output pins and Bus Lines for
their restrained access to others and secured data
6. JTAG / SPI / I2C kind of interfaces needs to be secured as there is a high possibility of Sniffing and
Modifications
7. Firmware update methodology needs to be curtained for all possibility of secured installation and
modifications
8. Impacts on Configurations and Calibrations when carried out through external components needs to be
understood
9. Secure erase and wear levelling test case needs to be created at all memory and external interfaces
10. Verify if Anti-tamper / tamper detection evidence indicators is enabled and meets the security testing
requirements
11. Verify if Wireless / RF components inherit the security risks that are identified
12. Production hardware schematic review and verification
13. There should be no additional articatacts either in hardware, software modules including the operating
system, its core security properties and features, and its configuration, should be verifiedas being in line
with the security requirements and no additional artefacts present.
7.3.2 Software
a. Programming language selection - Understanding the security considerations for the language can ensure
they are accommodated in architecture, development, and testing.
9. b. Developertoolingshould facilitate secure coding, implementationof defensive techniquesand leveraging
of operating system defenses.
c. Plan to use modern compilers with security options turned on, and IDEs and CI systems that can perform
static code analysis.
d. Ensure the development frameworks selected enhance security rather than detract. These can include
web frameworks that will reduce common vulnerability classes or native language frameworks that
address common memory corruption vulnerability classes.
e. Select a modern operating system or platform that provides defence-in-depth properties, including but
not limited to ASLR, non-executable memory, process segregation, and sandboxing.
f. Plan on how updates to third-party librarieswill be tracked and integrated on an ongoing basis as security
vulnerabilities are discovered.
g. Leveraging compiler, operating system, and platform security features
7.3.3 Functional Requirement Design and Architecture
1. Installation and customization - potentially opens up devices or systems to attack upon initiation.
2. Connectivity authentication. Consider how will the connectivity be authenticated, where the credentials
will be stored and how easily credentials can transplanted to another device.
3. Data Communications â decide on communication would occur in line with the desired privacy and
integrity requirements
4. Man-in-middle and similar attacks needs to be mitigated and tested.
5. Define encryption requirements for storage and transport. Also decide on how keys will be generated,
stored and transmitted.
6. Hashing requirements for the products needs to be defined
7. Performance overhead due to CPU, Memory, External Interfaces, Wireless and battery impact needs ot
be considered.
8. Data Integrity requirements f will influence the design and cost of the product by right selection of
software and hardware.
9. Ability to identify the device and users when cloning and similar attacks happens.
10. Non-repudiation â Understand if transactions or requests from the device or user need to be non-
repudiable.
11. Data destruction on a devices needs to be devised for standard operation or in the case of compromise
or loss?
12. Define the Authentication levels, Data, functionality Network Services that needs ot be exposed and
hidden
13. Do these services require an authorization model as well as authentication?
14. Service interaction â Define the secured services interaction model, elevated access abstraction,
identifying the service before interacting on sensitive information
15. Define how Device wil be remotely Managed securdly
16. Check how the Vendor Support needs to be enabled for various backdoors Services , it should be
advertised, secured, and optionally be disabled by the user to enhance security.
17. Define the product upgradation model in a secure and scalable fashion to address future security
vulnerabilities or other bugs that require a software fix.
18. Logging and auditing should be enabled.
19. Backup, restore and Recoverability functionalities at all levels including firmware needs to be defined
with its impact.
7.3.4 Phase 4: Implementation
During this phase we should consider the below pointers too
1. Adherence to secure programming guidelines.
2. Platform lockdown early on in the development lifecycle.
3. Use of agreed developer tooling in defensive configurations.
10. 4. Static code analysis performed as close to development as possible.
5. Ensuring latest versions which resolve known security issues of third party libraries and components are
used.
6. Production of positive and negative unit and functional test cases.
7.3.5 Phase 5: Verification and Testing
a) Production hardware schematic review and verification.
b) Base platform analysis.
c) Network traffic analysis.
d) Interface analysis.
e) Interface security analysis.
f) Verification of functional security requirements.
g) Verification of functional security design and architecture requirements.
h) Trust boundary review, functionality assessment and fault injection.
i) Side channel attack defense verification.
j) Targeted security focused code reviews.
k) End to end functional security assessment or product penetration test.
7.3.6 Phase 6: Product Security Sustainment and Maintenance
Sustainment is one of the most overlooked phases and encompasses a whole set of policies, procedures, and
technical activities. A product sustainment plan typically needs to be able to:
a. Receive and process reports of security issues from external parties.
b. Proactively monitor for reports of security issues in third-party components used and work with
development to integrate as appropriate
c. Regularly liaise with vendors of components used to identify if further releases have occurred that
address security issues.
d. Maintain a capability that can triage, resolve, test, ship, and distribute patches for security issues
identified.
e. Have a plan in place for worse case scenarios such as product recall or widespread repair.
7.4 Security Threats and Impacts
Though there are many threats for an IoT system and may be specific to a system or to an environment, belowis
the short list that needs to be considered as part of the IoT product lifecycle helping product designers, testers
and implementers. These threats donât have the Risks that the events may occur however would help the
developersand the Security Testing Team to consider and plan ahead with appropriate risk analysisdone for that
specific product.
Threat Description Impact
Compromise on
Device and Its Data
Compromise of the device or its data,
either partially or entirely locally,
through either hardware or software
means.
External security boundary is breached.
Privilege
escalation
Increase in access, either locally or
remotely, breaching a security
boundary.
Degradation or failure of a security boundary
leading to an increased level of access either
on a temporary or permanent basis.
Impersonation Impersonation of a trusted entity. Degradation or failure of a security boundary
leading to an increased level of access either
on a temporary or permanent basis.
Persistence Persistent access is obtained post-
compromise through configuration
Integrity of the platform or the external
security boundary enforcement is no longer
effective.
11. modification or hardware / software
manipulation.
Denial of service Service is lost, either partially or
entirely, on a temporary or a
permanent basis.
Degradation in availability or functionality.
Traffic
interception or
modification
Network traffic of any type can be
intercepted, or modified.
Underlying trust in the integrity and privacy of
the data traversing the network can no longer
be guaranteed.
Stored data access
or modification
Persistent data is read or modified. Underlying trust in the integrity and privacy of
the persisted data can no longer be
guaranteed.
7.5 IoT Security Testing â Best Practices
Below are the few pointers that may be product or device independent. But they are needs to be considered
while devising a plan for testing
i. Verify if the device identity is tracked all through its device lifecycle
a. Check if the devices registers themselves
b. Check if this process happens during every boot and within a pre-set frequency.
ii. Always verify / keep track of the device behavior
a. Cross check with the product requirement document on the device specifics and its variable
information
b. Check it on the server side and confirm if the devices are hacked or spoofed.
iii. Check if the product has the ability to block compromised devices. Any device needs to be blocked for
tehir activity with the followings.
a. Only the devices in the list should have access control
b. Product should be able to filter any unauthorized Protocols and undefined packages
c. It should have ability to jam or ignore the Signals from devices, if needed or as needed in the
product
d. Should have options to unplug the power by Users / Support Enggineers
e. On the device, or a specialized device
iv. We need to consider that low-power or cheaper devices cannot encrypt data using standard encryption
techniques or thorugh in-built hardware encryptions due to less memory and might drain battery fast.
v. Check if there are any unencrypted data stored within the product.
a. Check if the devices accessible publically or protected with encryption
b. Verify if teh data being non-encryopted, then it should have ability to send it to next availble
module and encryption has to be done there to store data safely.
vi. Verify if the unencrypted data are sent over long distances.
vii. If data are sent long distance, verify if there are local âgatewayâ or a powerfull local device to encrypt it
on behalf of dumb devices
viii. Verify if the we have shadow encryption & data mangling strategies in case of any failures.
a. Check if the devices / compornnts are Signed
b. Check if the Ciphers â a secret way to write code, hashes & arithmetic algorithms are
implemeneted to hide the data / content
ix. Verify if the entire product has the smart devices, communiocate with the defined handshake protocols
and use only the reliable communication mechanism like WiFi, RF etc
x. Verify if the penerations can be done on your things through Spying
a. Always test by Intercepting the communication between your âthingsâ
b. Verify the communications & detect if there are any anomalies
xi. Audit if there are Physical canaries applied though âsocial controlâ amongst devices
12. xii. Verify if the devices report that other devices are talking to them inappropriately
xiii. Validate that there are no execution / updates from the untrusted source or users like firmware or
software updates.
xiv. Validate if the firware are digitally signed and tamperproof.
xv. Validate if unlocking a single device risks only that deviceâs data
xvi. Validate if Physical access to the devices are taken care during implementations / installations
xvii. Validate if Virtual Access are preventedby not opening the inbound ports, designed without âlistenersâor
âserversâ on the devices and only âworkersâ or âagentsâ and remote queues with outbound connections
are only used.
xviii. Validate Virtual tampering is also disabled.
8 Data Privacy in IoT
IoT ecosystem is builton TRUST, across three important areas - Industry, System and End User. While System
Trust may be related largely with technological advancements and the implementation of the âprivacy
enhancing techniquesâ, the Industry and User Trust can only be cultivated by the right mix of involvementof
the consumer, private and regulatory bodies across geoâs.
We have two major policy frameworks today defined by European Union Commission and United States
Federal Trade Commission that revolve around legal regulation, self-regulation, government regulation,
international agreements, Global / regional issues, User behavior in that Geo and many more. While testing,
QEA organizatin has to consider about the debvicesand itsdeploymnet location and adherence to respective
regulations of that geo.
8.1 Regulations through European Union Commission
It aims to issue a legislation which aims at a regional framework before applying it on a global level making the
whole system functional. EU laid down few actions that include:
ďź Governance implementation
ďź Privacy monitoring and personal data protection
ďź IoT infrastructure of utmost importance
ďź Standardization of IoT technologies
ďź Public and private sector cooperation
ďź Institutional awareness
ďź International dialogues
Test Startgy for this EU legistation should focus on
1) Validating if the Users are enabled with âRight-to-knowâ aspect where users will know what data is
collected and users should have the option to deactivate tags if needed.
2) Validate if the producthasâProhibitionâenabled,whichprohibits certainbehaviorif the public/User
community dislikes it.
3) Validate forâIT-securityârulesthatwouldprotectapplicationfromunwantedreadingand rewriting.
4) Validate âUtilizationâ policy that ensures information available in scenarios where it might be
required.
5) Validate âTask-forceâ policy that researches on legal challenges and resolution for the same
Highlights of EU legistation that needs considerations
a) Addressmanyaspectsbutdoesnotconsiderthemeritsof self-regulatorymodelsandindustrystandardization.
b) Ensures that the principles of verticality, ubiquity and technicity can be taken into account.
c) Only applicable for member States in Europe and not globally
d) Attest that privacy and data protection problems in the field of the IoT are taken seriously
13. 8.2 Regulations through United States Federal Trade Commission
This regulation is around the recommendation to implement a Consumer Privacy Bill based on the Fair Information Practice
Principles (FIPP) alongwith a framework to assess howdifferent scenarios in the regulation would apply to different busines ses.
In the same report, the FTC highlighted five key points of consideration for government policyma kingefforts in the future years
for all Digital Technologies including IoT
a) Do Not Track: Noting the efforts by Digital Advertising Alliance (DAA), browsers (e.g. Mozilla) and W3C consortium in
helping the consumer with opt-out options, the commission reiterated its support to the above stakeholders.
b) Mobile: The commission planned on working with companies providing mobile services on creating succinct and clear
messages for the customers for better transparency.
c) Data Brokers: The commission called on data brokers who collateand useconsumer information to create a centralized
platform with ease of access of information for the consumers on how their information is being used.
d) Language Platform Providers: Large platforms like ISPs actively track consumersâ online activities and must be
enlightened for addressing privacy concerns.
e) Self-Regulation: Sector-specific regulatory codes and ensuring the compliance of these codes.
During thispolicy framework discussions, itwas stressedfor need of developinga context-aware system inclusive
of the culture, demographics and user perceptions for data use to supplement the privacy and security of
consumer data in an interconnected world and increase the acceptability of IoT. Also the framework should
comply with the followings
ď Productsshouldcomplywithcommonframeworkunlesstheyhandleonlylimitedamountof datathatare not
Sensitive and not shared with any third parties
ď Productsshouldbe designedtoworkwithallbestpracticesthatare followedwithexistingPrivacyandSecurity
statutes.
ď These regulations applies to online and Offline data too.
ď The regulationsshouldbe followedforall data that isreasonablylinkable tospecificCustomer,Computer or
device.
ď Products must Provide Reasonable Security for Consumer Data.
ď Companies Should Limit Their Collection of Data.
ď Companies Should Implement Reasonable Data Retention and Disposal Policies.
ď Companies should maintain reasonable accuracy of consumersâ data
ď Companies should maintain comprehensive data management procedures throughout the life cycle of their
products and services.
Overall anyIoT productthat is developedandshippedacrossgeoâsshouldfollow the below chartertomake sure
they are sustainable and sellable.
14. 8.3 IoT Privacy Testing â Best Practices
⢠Verify if the Geo specific privacy laws are adhered across the product components.
⢠Verify if the Product catlogue and product User Interafces, makes users aware of the data collected and if teh conset of users are
received and validated.
⢠Validate if the Data profiling is done as per the product requirement aseachuser or the things attachedare differnt for everyscenario.
⢠Validate if the personally identifiable information (PII) is handled as defined in the product requirment.
⢠Validate if the Geo Specific product has / adheres to that spefic geoâs / local privacy laws for example US and EU provacy la wa has
many conflicts. So Test Plan and test Cases neededs to be different.
⢠Check the product if any personalized data are stored, Processed or sent that are not part of the Product Requirement
⢠Validate the product does not deviate from the Trust on which it is built, like on Data Collections, Authentications, reliability of
communications etc.
⢠Validate if the context of data collectionresideson the devicesor cloud. Ideallya great product shouldhave it on cloud/ middle layer.
9 Quality Engineering Considerations in IoT:
We understand that IoT ecosystem is nothing but the combination of various elements that combine together to
represent a product. Though mostly of the elements in this ecosystem are created for other purposes, they can be
customizedfora specificproductsand so the entire producthas to go-thoughthe individual systemtestingandalso
the System Integration testing aggressively.
Thoughwe can go-thoughvariousregulationsandbestpracticeswe wishQualityEngineeringandAssurance teamto
consider Structured Testing Approach and Consistent Testing Methodology based on industry-wide best practices
like OSSTMM, OWASP, WASC. Recently âOWASPâ has specifically formulated Internet of Things top 10 project site
that has been created to assist vendors with securing their products.
These bestpractices, standardSecurityand Privacy testingtechniques,combined withmanual testingalongwiththe
use of automatedtools shouldbe leveragedwhereeverpossible.Devicesandtheircomponents shouldbeadditionally
assessedbasedontheseOWASPInternetof ThingsTop10listandthe specificvulnerabilitiesassociated witheachtop
10 category.
The OWASP Internet of Things Top 10 - 2014 is as follows:
⢠I1 Insecure Web Interface
⢠I2 Insufficient Authentication/Authorization
⢠I3 Insecure Network Services
⢠I4 Lack of Transport Encryption
⢠I5 Privacy Concerns
⢠I6 Insecure Cloud Interface
⢠I7 Insecure Mobile Interface
⢠I8 Insufficient Security Configurability
⢠I9 Insecure Software/Firmware
⢠I10 Poor Physical Security
10 References
http://www.gartner.com/newsroom/id/2636073
https://www.gov.uk/government/publications/end-user-devices-security-guidance-general-security-
recommendations/end-user-devices-security-guidance-general-security-recommendations
https://www.microsoft.com/security/sdl
http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-
privacy-era-rapid-change-recommendations/120326privacyreport.pdf
15. The Open Web Application Security Project (OWASP): https://www.owasp.org/index.php/Main_Page
European Union: IoT Privacy, Data Protection, Information Security Fact Sheet:
http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1753
http://en.wikipedia.org/wiki/Data_Protection_Directive
http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-4759ENW.pdf
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project
http://h30499.www3.hp.com/hpeb/attachments/hpeb/application-security-fortify-on-
demand/189/1/HP_IoT_Research_Study.pdf
http://www.techvibes.com/blog/from-m2m-to-the-internet-of-things-viewpoints-from-europe-2011-07-07
http://www.iot-a.eu/public/news/internet-of-things-holds-promise-but-sparks-privacy-concerns
http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1753
http://en.wikipedia.org/wiki/Secure_by_default
https://www.cesg.gov.uk/publications/Documents/platforms_secure_by_default.pdf
http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1753
http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-
privacy-era-rapid-change-recommendations/120326privacyreport.pdf
11 About the Author
Somasundaram Jambunathan, Associate Director, Cognizant Technology Solutions
Somasundaram(Soma) comes with fifteen years of relevant ITexperience spanningacrossmultiplatformdevelopment and testing
for embedded and mobile applications. At Cognizant, Soma leads the Mobile Testing Center of Excellence and is also heads the
Research and Development Unit that focuses on building various Testing Tools for Mobile and Connected Devices. Somaâs
expertise spans across areas includingimplementingcutting edge mobile applications likeseamless mobility client,push-to-talk,
Mobile multimedia apps. With his forte in development of automation frameworks and testing process for mobile testing for
marquee clients,Soma has builta pool of mobile Developers and test consultants with an array of innovativeserviceofferings in
a short span of time.