Create secure IoT products: Enable security by design

Good practices for IoT security, with a particular focus on software development guidelines for secure IoT products and services throughout their lifetime have been introduced in a report by ENISA.

The number of IoT devices is rising constantly with an expected 25 billion IoT devices to be in use by 2021 according to a Gartner study.

Notorious examples of IoT attacks such as Stuxnet and Mirai have led to growing concerns about the security measures of IoT devices. IoT is going to have an impact on every aspect of our lives and we need to be prepared.

Security by design, fundamental to IoT security

The establishment of secure development guidelines is a fundamental building block for IoT security. The ENISA report has a particular focus on software development guidelines, a key aspect for achieving security by design.

The study elaborates and delves into this notion by giving specifics on how to securely collect requirements, design, develop, maintain, and even dispose of IoT systems and services.

In the context of IoT, a rapidly emerging set of technologies that needs to be holistically secured, such work aims to set the reference point for the development of secure by design solutions. The main contributions of the study include:

• Analysis of security concerns in all phases of IoT SDLC and key points to consider.
• Detailed asset and threat taxonomies concerning the IoT secure SDLC.
• Concrete and actionable good practices to enhance the cybersecurity of the IoT SDLC.
• Mapping of ENISA good practices to related existing standards, guidelines and schemes.

Create secure IoT products: Cybersecurity throughout the SDLC

To utilise secure Software Development Life Cycle (SDLC) principles is an effective and proactive means to avoid vulnerabilities in IoT and thus contribute in developing software applications and services in a secure manner.

“Taking a step back and looking into the entire lifecycle of IoT products and services, ENISA with the input of IoT experts created security guidelines for the whole lifespan: from requirements and design, to development and maintenance, as well as disposal,” said Juhan Lepassaar, Executive Director at ENISA.

“The motivation is clear: security is not only about the end product, but also about the processes to be followed to develop the product.”

Target audience

This ENISA study outlines good practices for IoT security with a particular focus on securing the SDLC of IoT systems.

This entails defining security measures that apply to the entire IoT ecosystem (devices, communications/networks, cloud, etc.) in order to bolster the security of the development process, resulting in devices that are fundamentally more secure.

Given the diverse phases that SDLC entails and the complexity of the IoT ecosystem, the target audience are those that want to create secure IoT products:

• IoT software developers
• IoT platform, Software Development Kit (SDK) and Application Programming Interface (API) developers and consumers
• IoT integrators