Better Living Through Security Coding Standards

Security for IoT and embedded devices is essentially a mess. Time for Standards 3d words on a clock face to illustrate guidelines and regulations for measuring performance or qualityIf you’re not aware of it by now, stop and take a minute to check out my IoT Hall-of-Shame. I still have a backlog of probably 20 hacks over the last few weeks to add to the list there. Finding out that some IoT device has been hacked is such a regular occurrence that it often gets no attention in the news.

I have often used the collage below as a kind of trick question in presentations. I’ll ask “which of these devices are hackable?” and of course the answer is all of them. In fact, the devices in this list aren’t just hackable, but have already been hacked. I started using this kind of picture a few years back with just a handful of devices. Today I can’t put them all in a single collage because they’d be too small- there are hundreds of them!

A collage of various devices that not only can be hacked, but already have been.

Devices that have been hacked

There are a lot of people who think that software and cybersecurity situation is inevitable – that the problem is just too difficult and basically it’s not going to get any better. I’m not one of those people, I happen to believe than we can do a better job at securing embedded devices and software systems in general. If you look at successful attacks, all too often you find that they’re not overly sophisticated, but rather exploit software vulnerabilities that have been well understood for years and for which there are very good mitigating strategies.

That’s where the SEI CERT Secure Coding Standard comes in. It outlines basic things you should do (or NOT do) when creating secure software. The way to check your code against a standard like CERT is to use a static analysis tool, like Parasoft C/C++test. Now I know that there are challenges in doing static analysis and software security, but I’ve got some pretty good ideas to make sure that what you’re doing will be a help rather than a burden.

I’m doing a joint webinar with David Svoboda from SEI CERT and we’re going to talk about what the SEI CERT Secure Coding Standard is, how to understand and use it, and how to successfully deploy static analysis to build security into your software rather than trying to test it in like people are doing today. Coding standards are the sound engineering basic for safe, secure, reliable software.

Join us on September 27th for this educational and entertaining webinar: register here.

Leave a Reply