Driving Secure by Design IoT approaches in the UK
CA Technologies applauds UK Secure by Design Report and recommends focus on secure development.
The UK Government Department of Digital, Media, Culture and Sport (DCMS) recently released a report aimed to ensure that the Internet of Things (IoT) is secure by design, with security built in from the start.
The IoT, and the data-driven innovation it promises, provide a wealth of opportunities for the UK for improving public health, protecting the environment, and enhancing transportation safety and efficiency, among many other benefits. However, the increase in ubiquitous connectivity brings significant cyber security risks as well.
CA Technologies applauds the release of this report as security will be critical to realizing the benefits of the IoT.
The primary feature of the report is a proposed industry Code of Practice, which includes guidelines for enhancing the security of IoT devices, applications and infrastructure.
The guidelines cover a range of security and privacy practices including credentials management, principles of least privilege, data protection and management, secure communications, and many others.
The report calls out the first three guidelines as having particular importance because they will bring about the largest improvement in the short term. They are:
CA Technologies agrees that these guidelines are critical to securing the IoT ecosystem. However, we would also recommend the inclusion of a new guideline, which promotes the use of secure software development processes and practices in order to effectively minimize the inclusion of vulnerabilities in device and applications as they are developed in the first place.
Software applications are increasingly integrated into our commercial processes, including in the consumer IoT marketplace. But this makes them a prime target for hackers.
Data from Veracode’s 2017 State of Software Security (SOSS) Report demonstrate the pervasive risk of software security. For example, the frequent use of software components speeds up development, but also increases risk. As the SOSS report notes, 88 percent of tested Java applications had at least one vulnerability in a component.
Organizations that follow best practices make security an element of quality, conducting security testing and other secure development practices throughout the development lifecycle. These practices result in significantly fewer vulnerabilities being included in code that is released in the marketplace, reducing attack opportunities for malicious actors. As one example, the SOSS report notes that organizations that scan their applications more frequently during development have a 48 percent higher fix rate than organizations that don’t scan frequently. Organizations with eLearning developer education classes have a 19 percent better fix rate.
Finally, it is important to note that a holistic secure by design approach will consider effective identity and access management practices, including privileged access management to protect the secure software development process, itself. Effective API security and secure automated updates will also be critical to the security of the full life cycle of devices, applications and networks.
CA Technologies believes the Secure by Design report is a significant step forward in government-industry partnerships to improve cybersecurity. We look forward to working with DCMS, our partners and other industry stakeholders to continue driving security best practices in the IoT marketplace.
Which best practices do you feel are important to highlight? What is missing in the report? We invite you to share your thoughts below.