Internet of Things: Security Insights for DevelopersThink Like Attackers, Says IBM's Charles Henderson
Conducting penetration testing on "Internet of Things" devices is similar to testing any other Internet-connected product: Hammer away at it to see if its security can be broken, and then determine what that might allow attackers to do.
All IoT-related hardware and software demands security testing, says Charles Henderson, IBM's global head of security testing and threats, in an interview with Information Security Media Group. But one big challenge with IoT devices is that they're not a technology, but a collection of technologies, and small problems in each of those technologies can add up to big risks.
"Very often, some of the most damaging vulnerabilities that we see in IoT are vulnerabilities that actually present across multiple technologies," Henderson says. "Effectively, it's not the mobile application alone, it's the way the mobile application integrates with the API, with the web platform, and with the sensor device that it connects to. It's a chain of problems, rather than an individual problem in a specific technology."
That's why manufacturers need to test not just the point technologies, applications or services associated with their devices, but everything together, Henderson says. Developers must think about how attackers might attempt to exploit a device, and why, and then write code designed to lock devices down against such attacks, he stresses.
Cook Up Device "Abuse Cases"
For developers, helping to create secure devices involves not just thinking about how to deliver specific types of functionality, but also to "think like an attacker," he says. "Think not just of use cases, but think of abuse cases. Think how your product can be misused to circumvent security safeguards."
In this in-depth interview (see audio player below photo), Henderson also discusses:
- The value of using humans - not just automated tools - to look for vulnerabilities;
- How devices most often fail - on the security front - and what can be done to prevent that;
- The importance of having developers do informal threat modeling against the applications, devices or services they build or use.
Before joining IBM as global head of security testing and threats, Henderson served as vice president of managed security testing at Trustwave, as well as head of its penetration testing services group and director of application security services. He's also worked as a security consultant specializing in penetration testing.