Software lies at the core of every IoT system and service, enabling their functionality and providing value added features. Establishing secure development guidelines across the IoT ecosystem, is a fundamental building block for IoT security.

This ENISA study (November 2019) introduces good practices for IoT security, with a particular focus on software development guidelines for secure IoT products and services throughout their lifetime.

By providing good practices on how to secure the IoT software development process, this study tackles one aspect for achieving security by design, a key recommendation that was highlighted in the ENISA Baseline Security Recommendations study which focused on the security of the IoT ecosystem from a horizontal point of view.

Examples of how software provides essence to IoT include: 

  • The firmware of IoT devices.
  • Implementations of IoT communication protocols and stacks.
  • Operating Systems (OSs) for IoT products.
  • Application Programming Interfaces (APIs) supporting interoperability and connectivity of different IoT services.
  • IoT device drivers.
  • Backend IoT cloud and virtualisation software.
  • Software implementing different IoT service functionalities.

Due consideration needs to be given to supply chain issues, including the integration of software and hardware. ENISA recommendations include:

  • Making use of secure Software Development Life Cycle (SDLC) principles is an effective and proactive means to avoid vulnerabilities in IoT.
  • These principles assist in developing software applications and services in a secure manner.
  • Several security challenges of the IoT can be addressed by establishing a baseline of secure development guidelines, such as checking for security vulnerabilities, secure deployment, ensuring continuity of secure development in cases of integrators, continuous delivery etc.
  • It is therefore important to analyse the relevant IoT cybersecurity threats and accordingly to set forward security measures and specific secure development guidelines to avoid common software vulnerabilities deriving from insecure practices that might be followed throughout the SDLC (requirements analysis, software design, software development, implementation, deployment, integration, maintenance and disposal).

PANACEA Research perspectives: PANACEA is analysing the cyber threat landscape as part of it market perimeter analysis and evaluation of best practices in cybersecurity across enabling technologies and critical infrastructures like healthcare organisations. 

Lookout Watch entry date: 27/11/2019

Watch category:

Watch Type: