What strategies can I use to ensure embedded software is as secure as traditional application software?
With recent attacks against SCADA systems, users are raising questions about the security of embedded software. Embedded software is inherently neither more nor less secure than standard software applications. In this expert answer, I’ll touch on two security strategies that can help ensure your embedded software is as secure as traditional applications software.
First a word of caution: no application can make up for an inherently insecure operating system. If the embedded system you are building against is replete with security vulnerabilities, you will only get so far in securing your application and your customers’ experience. The first strategy in ensuring the security of your embedded application, therefore, is selecting a secure embedded technology. A brief Expert Answer is too short to enumerate every step in evaluating a technology, but this answer will include a few guiding principles. Verify the operating system has a hardened core which implements security layers -- core services run in isolated layers and are not easily impersonated. Next, look for an operating system with a hardened networking stack. Unused ports should be closed and non-responsive to port scans. Finally, the embedded system vendor should have a demonstrated commitment to patching and updating the system, especially for security vulnerabilities and strategies.
The next step in strategy is to commit to security as a vendor. A key contributor to security vulnerabilities (not just in embedded environments) has been a lack of attention paid to security simply because vendors assumed it wasn’t important. Historically, application vendors asked “Who would want to attack our system?” and ignore good security strategy. For this reason, many security vulnerabilities in embedded applications were simply due to naiveté and ignorance. As vendors commit to building and supporting secure applications, embedded application security incidents will drop in frequency and severity. Embedded environments aren’t inherently less secure, but applications built in embedded environments were less secure because security wasn’t at the forefront. Committing to security means implementing a secure development lifecycle -- a consistent, repetitive process of continuous improvement in security architecture, implementation and testing.
By selecting a secure embedded platform to begin your project, and by building secure applications, your embedded solutions can have the same level of security as standard computing applications.
This was first published in June 2011