Identifying and Testing Undiagnosed Cybersecurity Vulnerabilities
The Internet of Things (IoT), brings a new level of interconnectedness, and thus hackability to our world. What strategies should be used to secure IoT?
Join the DZone community and get the full member experience.Join For Free
technologies such as the internet of things (iot) have a profound effect on the software development industry because they enable the interconnection of the physical and virtual world based on interoperable communication technologies. ultimately, this will result in a very large portion of electronic devices having network connectivity -- and every manufacturer of those devices will then enter the software business.
iot has also expanded the scope of responsibility into an entirely new category of platforms and services, redefining security needs. cybersecurity vulnerabilities are problematic in any situation, but iot applications often power critical machines such as automobiles, healthcare devices, manufacturing equipment and much more, so safety can become an issue if security is compromised.
a new era of security risks
in november of 2016, the associated press profiled a report issued by the department of homeland security (dhs) that quoted former homeland security secretary jeh johnson as saying, “securing the internet of things has become a matter of homeland security." the dhs report recommended immediate action by software developers and other stakeholders in the development and commercialization of iot devices.
gartner predicts that the number of connected things in use will reach 25 billion by 2020.  embedded software is at the center of the rapidly growingly iot technology evolution because it serves as the critical technology foundation.
however, the requirements for securing iot devices is complex, as these devices do not use the traditional web stack where security mitigations are commonly focused. instead, they use a combination of internet protocols as well as embedded protocols, so it is hard to apply existing penetration tools (such as those targeting http interfaces or sql injection attacks) to such devices, given their development is typically done in c or c++. embedded protocols are nearly immune to these because they don’t understand the protocol.
because of this, undiagnosed cybersecurity vulnerabilities could still be lurking. security vulnerabilities can enter a product as soon as the first few lines of code are written, but the real danger is if they are not detected until much later. developing secure applications requires constant vigilance in all stages of development. just like quality, security is a process that is best implemented at inception, and challenges need to be addressed during development because it will be too costly and complex to redesign these advanced systems after they have already been shipped. this means using tools that are capable of detecting possible vulnerabilities when writing code, integrating modules, and testing compiled binaries on target hardware.
developing secure devices
gartner also predicts that over 50% of iot device manufacturers will remain unable to address threats emanating from weak security practices .
one of the most commonly used tools by security testers is static application security testing (sast). this type of testing is designed to analyze application source code, byte code, and binaries for common vulnerabilities, including coding and design conditions that might lead to potential security vulnerabilities.
adopting sast is theoretically a good development practice, as it enables developers to know: are there any issues with the software; how many; and what and where are they? assessing the code with a static analyzer will provide some direction, but is not a catch-all solution, especially when security is at stake. this is because sast tools do not actually execute the code, but instead, try to understand what the code is doing "behind the scenes" to identify where errors are. they analyze elements such as syntax, semantics, variable estimation, as well control and data flow to identify issues in the code.
sast is usually rule-based and runs late in the development cycle, and the results, when used alone, can create potential false positives (when the tool reports a possible vulnerability that is not an actual vulnerability). that leaves security engineers looking for a ‘needle in the haystack’ when identifying the genuine vulnerabilities. furthermore, many sast tools only help zero in on at-risk portions of the code to help developers find flaws more efficiently, rather than finding the actual security issues automatically. this can lead to time-consuming processes as well as incomplete analyses, both of which can be detrimental in the software development world.
to address this, new dynamic unit testing methods are emerging that actually expose defects in software by generating a test case and confirming exploitability. utilizing mitre’s classification of a common weakness enumeration (cwe), the approach uses automated software testing methods to interrogate an application’s software code and identify possible weaknesses. the community-developed formal cwe list serves as a common language for describing software security weaknesses in architecture and code and is a standard, common lexicon for tools detecting such potential weaknesses.
in the cwe taxonomy, there are numerous weaknesses where the use of dynamic testing can highlight vulnerabilities -- in particular anything with hard errors such as the use of null pointers or dividing by zero.
in this dynamic testing approach, once a potential cwe is found, a test exploiting the identified issue is generated and executed. after execution, test tools can analyze the execution trace and decide if the potential cwe is a genuine threat. that issue can then be classified as a common vulnerability and exposure (cve).
figure 1: dynamic unit testing methods can expose software defects by generating a test case and confirming exploitability. once a potential cwe is found, a test exploiting the identified issue is generated and executed. after execution, test tools analyze the execution trace and decide if the potential cwe is a genuine threat, which is then be classified as a cve.
this is based on the “synthesis” of executions leading to specific software issues (e.g., the automatic construction of a dynamic test exploiting a given vulnerability), allowing for the identification and automatic testing of undiagnosed cybersecurity vulnerabilities. the construction of this exploit is then paired with its dynamic execution to determine if the vulnerability is genuinely exploitable. this type of dynamic testing performs an upfront analysis of the code to detect potential issues (much like a static analyzer), which could actually contain false positives. however, once a potential issue has been identified, it also attempts to perform "automatic exploit construction."
unlike approaches based on static analysis, this type of software security testing will only flag an issue if it is genuinely exploitable, mitigating the issues of false-positives. the generation of test artifacts allows for their future re-execution to demonstrate the mitigation of a potential issue after software redesign.
as the threat landscape continues to evolve and change with the growth of new technologies, security becomes increasingly important – and complex. static analysis security testing has benefits, but dynamic testing can further expose defects in software by generating a test case and confirming exploitability to find vulnerabilities more definitely – ultimately creating a more secure product.
Opinions expressed by DZone contributors are their own.