Q
Problem solve Get help with specific problems with your technologies, process and projects.

What strategies are best to ensure a secure embedded system?

Planning ahead in security testing helps to ensure a secure embedded system.

What strategies can I use to ensure embedded software is as secure as traditional application software? Is there...

extra security testing that should be done when working with embedded software systems?

There can certainly be a lot more to lose when embedded systems are attacked, but that shouldn't change your approach to how the software is developed. Regardless of the language, OS or hardware platform, the same strategies apply for application security. It all starts with the design. Threat modeling is key. This means looking at the overall system and determining everything from attack points to the specific exploits that can be carried out against the application.

Don't get too far off in the weeds worrying about embedded specifics. In the end, embedded system vulnerabilities are no different from those we see in traditional computer systems, such as:

  • Weak communication channels (e.g., known vulnerable versions of SSL)
  • Weak password and authentication mechanisms
  • Weak data storage methods

Every minute you plan in advance for the resiliency of your embedded systems, you'll see payoffs of often five- or tenfold. Take your time and do it properly.

When testing for embedded system security flaws, the general hacking methodology still applies:

  • Locate
  • Enumerate
  • Identify vulnerabilities
  • Exploit/demonstrate

That said, the specific means for finding and testing for embedded security flaws can be different than they are in traditional application security testing. In the case of embedded systems, you might still use traditional network and Web vulnerability scanners. However, depending on the embedded system platform, you might need more niche tool set including such as network analyzers, Bluetooth scanners, and Wi-Fi analysis tools. Exploit tools such as Metasploit can be beneficial as well. Being comfortable with an OS command prompt will help.

In the end, embedded systems are fair game for security testing -- and malicious hacking. Do what you can to find (and fix) the flaws before someone calls you out on them and creates problems for others.

Next Steps

Learn more about embedded operating systems

Printer vulnerabilities shed light on embedded systems security

Discover the seven deadly sins of embedded software development and testing

This was last published in March 2015

Dig Deeper on Software Security Testing Tools

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What challenges has your enterprise faced with planning a secure embedded system?
Cancel
We have embedded systems security, but haven't done much with it yet. Securing embedded systems used to be something that only agencies with three-letter initials could do anything with or about, but now you have more attacks coming, and the level of sophistication of the attack is dropping. But the tools to address these threats are once again lagging behind the attackers.
Cancel
Thanks for the feedback. I feel like security tools are always lagging behind the attackers. They shift the attack, we shift the defense, they shift the attack, and the dance continues.
Cancel
Very true, James.

We may lack certain security controls but there are plenty of ways to actually find/exploit the flaws...it's no different than any other network host or application.
Cancel

-ADS BY GOOGLE

SearchMicroservices

TheServerSide.com

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

DevOpsAgenda

Close