Source code security is a must-have for improving IoT security

September 28, 2022

As hacker attacks continue to evolve, IoT device manufacturers should integrate security into the product design stage, and to conduct security testing on the source code in the early stages of development, and to fix the security weaknesses found. In this way, the weaknesses and risks of IoT products can be effectively reduced, and the hard-earned reputation can be protected.

Despite the improvement of overall security awareness and the increase of investment in security in recent years, enterprises still cannot effectively prevent malicious programs from invading, and various security incidents continue to erupt around the world. In addition to the lack of security awareness among employees and the need for improvement of security protection architecture, the lack of security thinking among software developers, resulting in many weaknesses in software project products, is also one of the main reasons.

Using the security incident of open source library Log4J in late 2021 as an example, enterprises using this package may face the risk of hackers exploiting through LDAP injection vulnerabilities in the library, which is caused by the developers’ failure to identify this threat and fix the weakness in the code during the development stage. Similar code security problems also appear on the increasingly popular IoT devices, which leads to network cameras, NAS devices and other devices being invaded. In addition to the business secrets being stolen, there are also tragedies of data on the entire device being encrypted by ransomware. From these cases, we can see the importance of enterprises introducing static testing tools, and they need more professional security companies to help them avoid repeated incidents of IoT devices being invaded.

Onward Security is an international leader in IoT security compliance solutions, and one of the few companies with deep security assessment and testing technology. Daniel Liu, chief technology officer of Onward Security, said that the most impressive case of IoT devices being invaded was that many network cameras were invaded by Mirai malicious software in 2016 and became zombie devices for hacker organizations to launch DDoS attacks. Since then, there have been various incidents of IoT devices being invaded every year, causing great losses to consumers, enterprises and others, impacting the reputation of device manufacturers, and also driving a trend of testing original codes. However, there are many difficulties in actual implementation.

Equipment manufacturers reluctant to test open source components for security due to difficulty of acquiring open source testing tools

Considering the manufacturing cost and equipment efficiency, most IoT devices use open source Linux kernel with lower-priced Arm architecture processors. According to Onward Security, although open source software is easy to obtain, the subsequent maintenance work is quite complicated. When software package vulnerabilities occur, most companies do not have the ability to patch them themselves, and can only wait passively for the open source community to release patches. At this time, if new products are about to go on the market, some companies choose to take the risk of information security and launch products, and secretly pray that there will be no hacker intrusion incidents. Secondly, some IoT products were not designed with the software security development life cycle in mind, and did not provide product update functions. Even if the open source community releases patches later, the products cannot be updated afterwards. Under this situation, IoT devices that are inherently vulnerable naturally become the best attack targets for hacker organizations.

“The lack of static detection tools that support ARM processor architecture is another important factor. The programs developed by developers on ARM processor architecture cannot be compiled normally on some static detection tools. Developers need to seek the assistance of the original manufacturer to make the detection tools support cross compilers, and then use the detection tools for detection. This complex detection process ultimately discourages people.” Daniel Liu explained: “In contrast, Lucent Sky AVM, which supports development environments such as .NET, Android, C/C++, Go, iOS, JDK, and Python, helps avoid the complex process of setting up the environments required by many static security testing tools. Therefore it became the solution Onward Security recommends to our customers. With our information security consulting services, we can reduce the weaknesses and vulnerabilities in products to a minimum.”

Automatic vulnerability remediation greatly improves software quality

The key to Onward Security’s selection of Lucent Sky AVM for providing services to customers lies in the analysis and remediation algorithms developed by Lucent Sky, which support security standards and vulnerability lists such as CVSS, CWE, OWASP ASVS, OWASP Top 10, and PCI-DSS. It also scans both source code and binaries to check for vulnerabilities such as cross-site scripting and SQL injection. Lucent Sky AVM uses proprietary technologies such as Instant Fix and contextual remediation suggestion to perform meticulous contextual analysis, independently calculate the risk of each vulnerability, and automatically generate secure code, to help the development team speed up the vulnerability remediation process, and also help shorten the software project development process.

Because Lucent Sky AVM supports many mainstream development tools, it can seamlessly integrate into the existing software development environments of organizations. Its integration with existing development and deployment tools allows developers to perform analysis at any stage of software development and optimize the security software development process. Especially when software projects need to use third-party software packages, Lucent Sky AVM will also analyze whether the referenced software packages have known risks, greatly reducing the potential vulnerability risks.

Daniel Liu pointed out that under the global situation of information security talent shortage, most enterprise information security teams are very busy and may not have time to help the development team solve the vulnerability problems of software projects. Onward Security has accumulated many years of information security experience and technical energy in professional fields such as IoT, industrial control, and networked-vehicles. It is one of the few companies that have deep information security detection and product information security certification capabilities. It can provide customers with the most complete information security consulting services, help solve the problem of software vulnerability repair, and act as the best information security backing for customers.

Facing malicious programs that are pervasive, developers should integrate security in the design stage. Combined with easy-to-use static analysis tools and professional security consulting services, the security of IoT devices can be greatly improved.

This story originally appeared on iThome and has been translated from its original language.