Development teams are constantly challenged to assure the confidentiality, integrity and availability of their IoT products. Well known vulnerabilities are continually left exposed in connected products. Developers often lack the expertise and time required to identify and close new vulnerabilities. Tools that help developers and security engineers accomplish their goal of secure IoT products are required.
In the early days of software development, code was manually analyzed for quality defects and vulnerabilities. This type of code inspection is still used in agile peer review processes and potentially for high-value code within an application, but does not scale to meet the needs of modern technology. A report from McKinsey and Company noted for example that there are over 150 million software lines of code (SLoC) in a modern automobile. Attempting to manually review this code and still get the product to market on time would be impossible.
Identify Security Requirements
In order to define automated security tests, a team must first acquire an understanding of product threats. A threat model should be the first activity that any team undertakes. Threat models are often static documents that are rarely read, however, there are tools today that link threat model data with user stories and support the creation of automated tests that can be run throughout the dev process. Figure 1 shows an automated process for identifying device-specific security requirements.