Open source security and the Internet of Things
Today’s consumer devices are becoming defined by their embedded technologies. Wireless locks for everything from doors to bicycles can be controlled from your smartphone, eliminating the frustration of lost keys and forgotten combinations.
Internet-enabled thermostats and lights adapt to your lifestyle and respond dynamically to your behaviour. Cars can optimise their operations, even monitor and adjust their position on the highway, alerting drivers if they are drifting out of their lane, automatically slowing down when they get too close to another car. And whether we’re ready or not, the Internet of Things will eventually add connected, autonomous vehicles.
Driving the IoT revolution is software, and that software is built on a core of open source. A recent Forrester Research report acknowledges the widespread prevalence of open source in applications, with custom code now often comprising only 10 to 20% of any given commercial application, says Mike Pittenger, vice president, Security Strategy, Black Duck Software.
Black Duck On-Demand audits of commercial applications consistently find open source components in nearly 100% of the applications scanned. Open source use is pervasive across every industry vertical, making up an average 20 to nearly 30% of commercial applications in the Automotive and Financial Services industries and up to 46% in the Healthcare vertical.
As open source use continues to increase, effective management of open source security risk is increasingly important. But in the rush to bring IoT devices to market, manufacturers are often giving insufficient attention to the additional security exposures created when systems become increasingly connected.
Connections mean more pathways and back doors that could be exploited by a hacker — especially when a system’s own designers may not be aware that those pathways and back doors even exist, as is often the case with vulnerable open source components.
Adding open source security to the Internet of Things
There are billions of reasons for IoT security – 20 billion IoT devices by 2020 in fact, according to Gartner. Billions more connected devices coming online in the next few years will create new security challenges. Security should be at the core of the design of all IoT devices —not an afterthought, or worse, reactive after the damage has been done.
When there is a vulnerability to be found, the laws of statistics guarantee that someone will eventually find it. With over 3,600 new open source component vulnerabilities reported in 2016, the need for greater visibility into and control over the open source in IoT devices is clear, and detection and remediation of open source security vulnerabilities should be a high priority.
IoT manufacturers need to adopt an approach to cybersecurity that addresses not only obvious exposures, but also the vulnerabilities that may be embedded in application code.
If your organisation plans to leverage IoT technology, you need to examine the software ecosystem you’re using to deliver those features, and account for open source identification and management in your security program. As well as examining custom source code for vulnerabilities, ensure that the open source you use is not introducing hidden security vulnerabilities.
The author of this blog is Mike Pittenger, vice president, Security Strategy, Black Duck Software