vege - Fotolia
What strategies can I use to ensure embedded software is as secure as traditional application software? Is there extra security testing that should be done when working with embedded software systems?
There can certainly be a lot more to lose when embedded systems are attacked, but that shouldn't change your approach to how the software is developed. Regardless of the language, OS or hardware platform, the same strategies apply for application security. It all starts with the design. Threat modeling is key. This means looking at the overall system and determining everything from attack points to the specific exploits that can be carried out against the application.
Don't get too far off in the weeds worrying about embedded specifics. In the end, embedded system vulnerabilities are no different from those we see in traditional computer systems, such as:
- Weak communication channels (e.g., known vulnerable versions of SSL)
- Weak password and authentication mechanisms
- Weak data storage methods
Every minute you plan in advance for the resiliency of your embedded systems, you'll see payoffs of often five- or tenfold. Take your time and do it properly.
When testing for embedded system security flaws, the general hacking methodology still applies:
- Identify vulnerabilities
That said, the specific means for finding and testing for embedded security flaws can be different than they are in traditional application security testing. In the case of embedded systems, you might still use traditional network and Web vulnerability scanners. However, depending on the embedded system platform, you might need more niche tool set including such as network analyzers, Bluetooth scanners, and Wi-Fi analysis tools. Exploit tools such as Metasploit can be beneficial as well. Being comfortable with an OS command prompt will help.
In the end, embedded systems are fair game for security testing -- and malicious hacking. Do what you can to find (and fix) the flaws before someone calls you out on them and creates problems for others.
Learn more about embedded operating systems
Printer vulnerabilities shed light on embedded systems security
Discover the seven deadly sins of embedded software development and testing
Dig Deeper on Topics Archive
Related Q&A from Kevin Beaver
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading