Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Developer Challenges Force Insecure Devices to Market

A recent survey from Mocana has found that 24 percent of respondents knew of security problems in their company’s products that had not been disclosed to the public before the devices were shipped, but just what that means in terms of attitudes towards security may be more complex than it seems.

A recent survey from Mocana has found that 24 percent of respondents knew of security problems in their company’s products that had not been disclosed to the public before the devices were shipped, but just what that means in terms of attitudes towards security may be more complex than it seems.

Mocana provides security solutions for connected devices outside the PC market, such as smartphones and medical devices. According to its survey, which included responses from 800 engineers and developers that work on embedded devices, just 41 percent said their company has “allocated sufficient time and money to secure” its device products against hacks and attacks. Despite this, 64 percent felt that when engineers call attention to potential security problems, “those problems are addressed before the device is released.”

So what exactly does this illustrate about the state of security in the development process? The answer, some say, is a jumbled collage of business pressures, bug prioritization and varying attention to security.

Device Developers PlatformsChris Eng, vice president of research at Veracode, told SecurityWeek that engineers sometimes let a product slip out the door with a bug if the vulnerability is considered low-risk. However, problems can arise when bugs fall off the radar after the product release due to negligence or the discovery of more pressing vulnerabilities.

“I don’t think that every tiny bug, every tiny security bug, has to be fixed before it goes out the door,” he said. “Ideally you fix as many as you can but there’s always going to be some date where you have to ship stuff and you have to prioritize…but you also shouldn’t forget about them.”

Schedule pressures are huge and often result in security being given short-thrift, noted Dan Cornell, principal at application security firm the Denim Group. The cost of doing that however can be high.

“An important thing for organizations to understand about embedded software security is that the cost and effort required to update many embedded systems is significant,” he said. “Web application updates typically require updating code one a couple of centrally controlled servers. Embedded applications could be on devices spread around the world and not necessarily connected to networks that allow the software to be updated. That may make it such that fixing security flaws in embedded systems requires the replacement of hardware.”

Related Resource: Summer 2011 Device Developers’ Security Report

To Kurt Stammberger, vice president of market development at Mocana, the pressure to get a product to market – particularly when it comes to consumer electronics and smartphones – pose a challenge. The real problem however isn’t the timetable – it’s that engineering and product managers “have been slow to realize that device security has become a real problem over the past 12 months.”

Advertisement. Scroll to continue reading.

“Three years ago, no one really had to worry much about embedded security,” he said. “But now embedded malware and attacks are exploding…and lots of different populations of devices – iPhones, Android handsets, smartmeters – are each more populous than the entire Internet was in 1996, meaning there are multiple target-rich environments for hackers to go after.”

According to the survey, just 39 percent of responders agreed they could “find embedded security know-how when they required it.”

Download Device Developers' Survey 2011

“If you think it’s hard to hire a software developer in Silicon Valley, try hiring an embedded security expert,” Stammberger said. “They literally cannot be found, and pretty much can name their salary wherever they land…This talent shortage is going to become incredibly acute as devices outnumber PCs on the Internet by greater than 100 to 1 in the next five years.”

The good news, according to the study, is that 58 percent of responders disagreed with the statement “security isn’t a big priority for our device design teams.”

Calling integration between security and development teams good, Eng said it is important for developers to be knowledgeable of best practices, such as not hard-coding a default password.

“Your goal shouldn’t be to turn every developer into a security expert,” he said. “It should be to make sure that they’re aware of security risks, and that it’s kind of in the back of their minds.”

Developer Resource: Designing Security for Newly Networked Devices

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.