What strategies can I use to ensure embedded software is as secure as traditional application software? Is there...
extra security testing that should be done when working with embedded software systems?
There can certainly be a lot more to lose when embedded systems are attacked, but that shouldn't change your approach to how the software is developed. Regardless of the language, OS or hardware platform, the same strategies apply for application security. It all starts with the design. Threat modeling is key. This means looking at the overall system and determining everything from attack points to the specific exploits that can be carried out against the application.
Don't get too far off in the weeds worrying about embedded specifics. In the end, embedded system vulnerabilities are no different from those we see in traditional computer systems, such as:
- Weak communication channels (e.g., known vulnerable versions of SSL)
- Weak password and authentication mechanisms
- Weak data storage methods
Every minute you plan in advance for the resiliency of your embedded systems, you'll see payoffs of often five- or tenfold. Take your time and do it properly.
When testing for embedded system security flaws, the general hacking methodology still applies:
- Identify vulnerabilities
That said, the specific means for finding and testing for embedded security flaws can be different than they are in traditional application security testing. In the case of embedded systems, you might still use traditional network and Web vulnerability scanners. However, depending on the embedded system platform, you might need more niche tool set including such as network analyzers, Bluetooth scanners, and Wi-Fi analysis tools. Exploit tools such as Metasploit can be beneficial as well. Being comfortable with an OS command prompt will help.
In the end, embedded systems are fair game for security testing -- and malicious hacking. Do what you can to find (and fix) the flaws before someone calls you out on them and creates problems for others.
Learn more about embedded operating systems
Printer vulnerabilities shed light on embedded systems security
Discover the seven deadly sins of embedded software development and testing
Dig Deeper on Software Security Testing Tools
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.