Testing the Internet of Things

Similar documents
ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Requirements-driven Verification Methodology for Standards Compliance

Application Security: Threats and Architecture

The Internet of Things Risks and Challenges

BlackBerry 10.3 Work and Personal Corporate

Passing PCI Compliance How to Address the Application Security Mandates

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Web application security: automated scanning versus manual penetration testing.

Security Threats on National Defense ICT based on IoT

Secure Code Development

Top five strategies for combating modern threats Is anti-virus dead?

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Mobile Application Threat Analysis

Intelligent development tools Design methods and tools Functional safety

Designing federated identity management architectures for addressing the recent attacks against online financial transactions.

How To Be Prepared For A Cybercrime

What is Really Needed to Secure the Internet of Things?

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

A SURVEY OF CLOUD COMPUTING: NETWORK BASED ISSUES PERFORMANCE AND ANALYSIS

Data Protection: From PKI to Virtualization & Cloud

BSc (Hons.) Computer Science with Network Security. Examinations for 2011/ Semester 2

Network Test Labs (NTL) Software Testing Services for igaming

Overview of Banking Application Security and PCI DSS Compliance for Banking Applications

Automotive Ethernet Security Testing. Alon Regev and Abhijit Lahiri

Defending the Internet of Things

Auditing the Security of an SAP HANA Implementation

Developing software for Autonomous Vehicle Applications; a Look Into the Software Development Process

External Supplier Control Requirements

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

The Top Web Application Attacks: Are you vulnerable?

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

SIP Security Controllers. Product Overview

Enterprise Apps: Bypassing the Gatekeeper

Introduction: 1. Daily 360 Website Scanning for Malware

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Copyright Telerad Tech RADSpa. HIPAA Compliance

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao

2015 Vulnerability Statistics Report

BYPASSING THE ios GATEKEEPER

RETHINK SECURITY FOR UNKNOWN ATTACKS

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

93% of large organisations and 76% of small businesses

How To Protect Decd Information From Harm

Car Cybersecurity: What do the automakers really think? 2015 Survey of Automakers and Suppliers Conducted by Ponemon Institute

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

You don t hear me but your phone s voice interface does. José LOPES ESTEVES & Chaouki KASMI

CONTENTS. PCI DSS Compliance Guide

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Rigorous Methods for Software Engineering (F21RS1) High Integrity Software Development

Right-Sizing M2M Security: The Best Security is Security Tailored to Your Application

Web App Security Audit Services

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

How To Protect Your Cloud Computing Resources From Attack

BYOD Guidance: BlackBerry Secure Work Space

ISSECO Syllabus Public Version v1.0

A Framework for Secure and Verifiable Logging in Public Communication Networks

Chapter 1 Web Application (In)security 1

WEB 2.0 AND SECURITY

Design of automatic testing tool for railway signalling systems software safety assessment

The Security Development Life Cycle

Web of Things Architecture

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Beyond the Hype: Advanced Persistent Threats

Building Trust in a Digital World. Brian Phelps, BSc CISSP Director of Advanced Solutions Group EMEA Thales UK, Ltd.

Symphony Plus Cyber security for the power and water industries

Ensuring security the last barrier to Cloud adoption

IoT IT Security and Secure Development Life Cycle

Enabling the secure use of RFID

Security Issues with Integrated Smart Buildings

Comprehensive Security for Internet-of-Things Devices With ARM TrustZone

Testing of safety-critical software some principles

Security in Vehicle Networks

05.0 Application Development

Brainloop Cloud Security

Principles of Computer Security. Dr George Danezis

Web Application Security

Introduction of ISO/DIS (ISO 26262) Parts of ISO ASIL Levels Part 6 : Product Development Software Level

VPN Lesson 2: VPN Implementation. Summary

Security Security by Separation

LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright Security Compass. 1

OWASP AND APPLICATION SECURITY

Full Drive Encryption Security Problem Definition - Encryption Engine

Transcription:

Presentation to TMF Testing the Internet of Things Test and Verification Solutions Delivering Tailored Solutions for Hardware Verification and Software Testing

What is the IoT? Wikipedia The Internet of Things refers to the interconnection of uniquely identifiable embedded computing like devices with the existing Internet infrastructure Need to consider the technology But better understood through the applications Copyright TVS Limited Private & Confidential Page 2

Technology Possibly RFID (Radio Frequency Identification) tags + EPC (Electronic Product Code) -> EPCIS (EPC Information Services) Linked by ONS (Object Naming Service) PET (Privacy Enhancing Technologies): VPN (not global), TLS (slow), DNSSEC (not adopted globally), Onion routing (slow), PIR (impractical), P2P (maybe), Hypercat (maybe) Competing standards not yet reconciled Copyright TVS Limited Private & Confidential Page 3

A simple well known application: The Smart Fridge Who is involved? The milk manufacturer The app developer Copyright TVS Limited Private & Confidential Page 4

Testing the milk bottle Responsibility of the manufacturer Ensuring it obeys the protocols Ensuring an application can access the required data Security Responsibility of the app developer Errors in the milk bottle interaction Data integrity Security Copyright TVS Limited Private & Confidential Page 5

Testing the app Responsibility of the manufacturer Anything??? Responsibility of the app developer Usual distributed app functional testing These are autonomous systems So a lot of non-functional aspects to verify Copyright TVS Limited Private & Confidential Page 6

V&V of Autonomous Systems Software PAS 754:2014 UK Trustworthy Software Initiative (TSI) Copyright TVS Limited Private & Confidential Page 7

V&V of Autonomous Systems Software Traditional structured approach to testing Unit, integration, subsystem, system But system level testing changes Noise in the system Discovering boundaries of correct performance Emergent behaviours Facets of trustworthiness Safety, Reliability, Availability, Resilience, Security Copyright TVS Limited Private & Confidential Page 8

Scare Stories? Car was programmed to stop in fast lane Drone ditches into housing estate Criminals steal Amazon deliveries Disappearing cars cars drive themselves into arms of thieves Toyota Prius cars that are being recalled to fix a hybrid control unit glitch that can cause the cars to automatically shut down and enter a limp-home failsafe mode Online marketplace ebay is forcing users to change their passwords after a cyber-attack compromised its systems. The US firm said a database had been hacked between late February and early March, and had contained encrypted passwords and other non-financial data. Copyright TVS Limited Private & Confidential Page 9

Example Automotive Applications Passengers using cars services Accessing wifi, music+videos, time to destimation, etc Smart parking Help to find a parking space Automated parking Augmented Awareness ADAS (Advanced Driver Assistance Systems) Driver stays in charge Identifies a cyclist in the blind spot Driverless Cars Autonomous Systems Software Copyright TVS Limited Private & Confidential Page 10

Safety Critical Automotive Applications Passengers using cars services Accessing wifi, music+videos, time to destimation, etc Smart parking Help to find a parking space Automated parking Augmented Awareness ADAS (Advanced Driver Assistance Systems) Driver stays in charge Identifies a cyclist in the blind spot Driverless Cars Autonomous Systems Software Copyright TVS Limited Private & Confidential Page 11

Safety Standards IEC61508: Functional Safety of Electrical/Electronic/Programmable Electronic Safetyrelated Systems DO178: Software considerations in airborne systems and equipment certification EN50128: Software for railway control and protection systems IEC60880: Software aspects for computer-based systems performing category A functions IEC62304: Medical device software -- Software life cycle processes ISO26262: Road vehicles Functional safety Copyright TVS Limited Private & Confidential Page 12

Key Elements Plans & Standards Requirements Design Specifications Reviews and Analyses Testing (against specifications) ounit osoftware Integration o Software System Test Coverage Criteria Traceability Independence Copyright TVS Limited Private & Confidential Page 13

IEC61508 Dynamic analysis and testing Technique SIL 1 SIL 2 SIL 3 SIL 4 Structural test coverage (entry points) 100% HR HR HR HR Structural test coverage (statements) 100% R HR HR HR Structural test coverage (branches) 100% R R HR HR Structural test coverage (conditions, MC/DC) 100% R R R HR Test case execution from boundary value analysis R HR HR HR Test case execution from error guessing R R R R Test case execution from error seeding - R R R Test case execution from model-based test case generation R R HR HR Performance modelling R R R HR Equivalence classes and input partition testing R R R HR Copyright TVS Limited Private & Confidential Page 14

Is Reliable Software Expensive? 40-50% project effort on avoidable rework Extra 50% cost to develop high integrity software Extra 75% cost to maintain low integrity software Source: Boehm Software Management Article 2001 Copyright TVS Limited Private & Confidential Page 15

Presentation to TMF Interthreat of Things The security considerations Test and Verification Solutions Delivering Tailored Solutions for Hardware Verification and Software Testing

FUD (Fear, Uncertainty and Doubt) So far there have been very few malicious IoT attacks. http://www.dailymail.co.uk/sciencetech/article-2384826/satis-smart-toilets-japan-hacked-hijacked-remotely.html http://uk.pcmag.com/news/13737/japanese-smart-toilet-vulnerable-to-hackers IoT devices are currently insecure. Criminal hackers are usually motivated by money, not publicity. When Things start processing financial data attacks will become commonplace. Updates to deployed Things will be infrequent. http://www.bbc.co.uk/news/technology-28344219 http://www.ducksley.com/2013/12/cia-drone-blows-up-google-driverless-car/ Copyright TVS Limited Private & Confidential Page 17

Attack Vectors Huge increase in attack surface Initial criminal attacks will probably follow known vectors: Mapping the Objects and Servers; Identifying functionality; Bypassing client-side controls; Attacking authentication, session management, and access controls; Injecting code; Path traversal; Application logic and erasing audit trail; Other users (XSS / XSRF / hi-jack / redirection etc); Exploiting information disclosure; Overflow; Attacking Architecture, servers and source code. Expect massive use of automation in attacks. Copyright TVS Limited Private & Confidential Page 18

Innovation & Risk New technology will be closely followed by new attacks, then new defences. Reduced barriers to entry will create more IoT entrepreneurs and technologists, with no security skills. Creativity tools will probably be security-lite Threat assessment will be important. https://www.owasp.org/index.php/owasp_internet_of_t hings_top_ten_project#tab=owasp_internet_of_things_t op_10_for_2014 Copyright TVS Limited Private & Confidential Page 19

Can Things be turned off? (Faraday cages, killing the tag, dissolution of connection) Copyright TVS Limited Private & Confidential Page 20

Defences Secure by design Secure coding practices Tested for security Perimeter (network) defences Secure Technology, Processes, and People Copyright TVS Limited Private & Confidential Page 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information