Open source security and the Internet of Things

Mike Pittenger of Black Duck Software

Today’s consumer devices are becoming defined by their embedded technologies. Wireless locks for everything from doors to bicycles can be controlled from your smartphone, eliminating the frustration of lost keys and forgotten combinations.

Internet-enabled thermostats and lights adapt to your lifestyle and respond dynamically to your behaviour. Cars can optimise their operations, even monitor and adjust their position on the highway, alerting drivers if they are drifting out of their lane, automatically slowing down when they get too close to another car. And whether we’re ready or not, the Internet of Things will eventually add connected, autonomous vehicles.

Driving the IoT revolution is software, and that software is built on a core of open source. A recent Forrester Research report acknowledges the widespread prevalence of open source in applications, with custom code now often comprising only 10 to 20% of any given commercial application, says Mike Pittenger, vice president, Security Strategy, Black Duck Software.

Black Duck On-Demand audits of commercial applications consistently find open source components in nearly 100% of the applications scanned. Open source use is pervasive across every industry vertical, making up an average 20 to nearly 30% of commercial applications in the Automotive and Financial Services industries and up to 46% in the Healthcare vertical.

As open source use continues to increase, effective management of open source security risk is increasingly important. But in the rush to bring IoT devices to market, manufacturers are often giving insufficient attention to the additional security exposures created when systems become increasingly connected.

Connections mean more pathways and back doors that could be exploited by a hacker — especially when a system’s own designers may not be aware that those pathways and back doors even exist, as is often the case with vulnerable open source components.


Adding open source security to the Internet of Things

There are billions of reasons for IoT security – 20 billion IoT devices by 2020 in fact, according to Gartner. Billions more connected devices coming online in the next few years will create new security challenges. Security should be at the core of the design of all IoT devices —not an afterthought, or worse, reactive after the damage has been done.

When there is a vulnerability to be found, the laws of statistics guarantee that someone will eventually find it. With over 3,600 new open source component vulnerabilities reported in 2016, the need for greater visibility into and control over the open source in IoT devices is clear, and detection and remediation of open source security vulnerabilities should be a high priority.

IoT manufacturers need to adopt an approach to cybersecurity that addresses not only obvious exposures, but also the vulnerabilities that may be embedded in application code.

If your organisation plans to leverage IoT technology, you need to examine the software ecosystem you’re using to deliver those features, and account for open source identification and management in your security program. As well as examining custom source code for vulnerabilities, ensure that the open source you use is not introducing hidden security vulnerabilities.

The author of this blog is Mike Pittenger, vice president, Security Strategy, Black Duck Software

Comment on this article below or via Twitter: @IoTNow OR @jcIoTnow


9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

Nozomi Networks and Tripwire announce strategic partnership

Posted on: September 17, 2021

Nozomi Networks Inc., the provider of OT and IoT security, and Tripwire, a global provider of security and compliance solutions for enterprises and industrial organisations, announced they have partnered to help organisations lower cyber risk with consistent security controls that span their IT, OT and IoT environments.

Read more

RightIndem deploys enterprise-grade conversational AI to simplify customer claims process

Posted on: September 17, 2021

RightIndem, an global insurance technology company, has worked with Bristol-based Amdaris to simplify its customer onboarding process via developing enterprise-grade conversational Artificial Intelligence experiences.

Read more