Continuing further my series on “IoT Device Security Considerations and Security Layers” next in the stack is the Application.
The level of Security that is put into the application on an IoT Device will depend upon several factors:
- Hardware Platform
- Operating System
- Programming Language
- Standards followed
- Level of Skill of developer
- Security Testing
The hardware platform becomes a factor when the application makes use of any special features that are present on the device. This is ideal for applications that are written to use on bespoke devices such as sensors for specific tasks, but does not allow wider use without modification and different versions being developed.
There are a lot of modular kits available that utilise standard libraries of code that make it easier for those starting out, but the level of security will depend upon those used.
In a similar way to the using specific hardware and programming for it, similar things can be accomplished using features of the operating system. Again ideal for bespoke platforms and devices, but not for generic apps.
So the first choice you need to make when looking to secure your application – Is it a Generic or Specific application and what elements of the Hardware and Operating System are you going to utilise.
There are lots of Programming Languages that can be used to create applications for the Internet of Things.
Redmonk carried out some research in June 2015 and ranked the most popular Programming Language’s. Some of the popular languages that are used current in IoT Development are:
There are lots of Languages available that can be used to programme for the IoT. The choice of Language used will vary based on the Hardware and Operating System used and the functionality required for the application provided by the Language.
There are a number of standards and frameworks are available for Application Security with general standard practices and some more specific depending upon the type of application being developed. Others come down to good practice, experience and the Software Development Life-Cycle used.
Security Testing will be key to ensuring the developed application is secure. Applications and IoT Devices should be routinely security tested during development and after to ensure vulnerabilities are addressed.
OWASP (Open Web Application Security Project) lists the top 10 IoT Security vulnerabilities as:
- I1 Insecure Web Interface
- I2 Insufficient Authentication/Authorization
- I3 Insecure Network Services
- I4 Lack of Transport Encryption
- I5 Privacy Concerns
- I6 Insecure Cloud Interface
- I7 Insecure Mobile Interface
- I8 Insufficient Security Configurability
- I9 Insecure Software/Firmware
- I10 Poor Physical Security
The OWASP site also has a good set of Security Guidance for Manufacturers, Developers and Consumers setting out IoT Recommendations for each of the above areas.
If you want to learn a programming language but are not sure which one have a look at my blog on “Learn a Programming Language – But which one?“