A recent survey from Mocana has found that 24 percent of respondents knew of security problems in their company’s products that had not been disclosed to the public before the devices were shipped, but just what that means in terms of attitudes towards security may be more complex than it seems.
Mocana provides security solutions for connected devices outside the PC market, such as smartphones and medical devices. According to its survey, which included responses from 800 engineers and developers that work on embedded devices, just 41 percent said their company has “allocated sufficient time and money to secure” its device products against hacks and attacks. Despite this, 64 percent felt that when engineers call attention to potential security problems, “those problems are addressed before the device is released.”
So what exactly does this illustrate about the state of security in the development process? The answer, some say, is a jumbled collage of business pressures, bug prioritization and varying attention to security.
Chris Eng, vice president of research at Veracode, told SecurityWeek that engineers sometimes let a product slip out the door with a bug if the vulnerability is considered low-risk. However, problems can arise when bugs fall off the radar after the product release due to negligence or the discovery of more pressing vulnerabilities.
“I don’t think that every tiny bug, every tiny security bug, has to be fixed before it goes out the door,” he said. “Ideally you fix as many as you can but there’s always going to be some date where you have to ship stuff and you have to prioritize…but you also shouldn’t forget about them.”
Schedule pressures are huge and often result in security being given short-thrift, noted Dan Cornell, principal at application security firm the Denim Group. The cost of doing that however can be high.
“An important thing for organizations to understand about embedded software security is that the cost and effort required to update many embedded systems is significant,” he said. “Web application updates typically require updating code one a couple of centrally controlled servers. Embedded applications could be on devices spread around the world and not necessarily connected to networks that allow the software to be updated. That may make it such that fixing security flaws in embedded systems requires the replacement of hardware.”
Related Resource: Summer 2011 Device Developers' Security Report
To Kurt Stammberger, vice president of market development at Mocana, the pressure to get a product to market – particularly when it comes to consumer electronics and smartphones – pose a challenge. The real problem however isn’t the timetable – it’s that engineering and product managers “have been slow to realize that device security has become a real problem over the past 12 months.”
“Three years ago, no one really had to worry much about embedded security,” he said. “But now embedded malware and attacks are exploding…and lots of different populations of devices - iPhones, Android handsets, smartmeters - are each more populous than the entire Internet was in 1996, meaning there are multiple target-rich environments for hackers to go after.”
According to the survey, just 39 percent of responders agreed they could “find embedded security know-how when they required it.”
“If you think it’s hard to hire a software developer in Silicon Valley, try hiring an embedded security expert,” Stammberger said. “They literally cannot be found, and pretty much can name their salary wherever they land…This talent shortage is going to become incredibly acute as devices outnumber PCs on the Internet by greater than 100 to 1 in the next five years.”
The good news, according to the study, is that 58 percent of responders disagreed with the statement “security isn’t a big priority for our device design teams.”
Calling integration between security and development teams good, Eng said it is important for developers to be knowledgeable of best practices, such as not hard-coding a default password.
“Your goal shouldn’t be to turn every developer into a security expert,” he said. “It should be to make sure that they’re aware of security risks, and that it’s kind of in the back of their minds.”
Developer Resource: Designing Security for Newly Networked Devices