Open Source Summit: Securing IoT is About Avoiding Anti-Patterns

LOS ANGELES — The security perils inherent in Internet of Things (IoT) devices are painfully obvious at this point in 2017, but why are there so many security issues? At a session during the Open Source Summit here, Marti Bolivar, senior software engineer at Linaro, detailed what he described as “anti-patterns” that ultimately lead to negative security outcomes.

Bolivar started his session by defining what IoT security is really all about with a quote from security engineer Ross Anderson: “By securing, I mean: ‘building systems to remain dependable in the face of malice, error, or mischance,'” Bolivar said.

The anti-patterns are things that are done by engineering teams for different reasons, including timing, cost and lack of knowledge. The first anti-pattern in IoT security detailed by Bolivar is to do nothing.

“This approach just accepts every risk, so it’s not very good at mitigating them” he said.

Another anti-pattern is the so-called security by obscurity approach, which is what do it yourself models of security engineering often employ. In that model, developers hope that their insecurity is hidden and will not be discovered.

The Simon Says approach to security is a truism such that because someone important says the system is secure, it must be so.

A popular anti-pattern is for developers to use cryptography and encryption to secure data or communications. Simply by having crypto, the system is assumed to be more secure. Bolivar said that crypto may be duct tape, but it isn’t magic and can often be misconfigured. Additionally, there are lots of worrisome vulnerabilities in crypto itself as well.

Simply using multiple security technologies doesn’t make a system more secure; often it does the opposite.

When you try to build the perfect system. Bolivar said this model doesn’t work because the perfect system never ships.

With release and forget, all vulnerabilities become unfixable, Bolivar said This can happen because your company is in a commodity market and faces tight margins, because it’s a new startup or otherwise doesn’t know any better.

Another anti-pattern is thinking the system is secure because you’ll sue anyone who says otherwise. Instead of being open to security researchers, this model aims to shut them down through legal threats.

What makes for good IoT security?

So what are the positive patterns for IoT security? Bolivar offers a few somewhat obvious steps:

  • Don’t connect or collect unless you need to
  • Iteratively build and use threat models
  • Use your existing workflows to threat model
  • Manage customer and community relationships
  • Be ready for when problems arise

Overall, Bolivar emphasized the developers should keep the anti-patterns in mind a be sure to avoid them.

“Keep researching vulnerabilities, both in your market segment and elsewhere and apply what you learn,” he said.

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Top Cybersecurity Companies

Cybersecurity is the hottest area of IT spending. That's why so many vendors have entered this lucrative $100 billion+ market. But who are the...

Top Endpoint Detection and Response (EDR) Solutions

Endpoint security is a cornerstone of IT security, so our team put considerable research and analysis into this list of top endpoint detection and...

Top CASB Security Vendors for 2021

Any cloud-based infrastructure needs a robust cloud access security broker (CASB) solution to ensure data and application security and integrity. After carefully surveying the...

Best SIEM Tools & Software for 2021

Security Information and Event Management (SIEM, pronounced "sim") is a key enterprise security technology, with the ability...

Related articles