SlideShare une entreprise Scribd logo

Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer

Luca Mannella
Luca Mannella

This is the PowerPoint presentation held by Luca Mannella during WoRIE'21: 10th Workshop on the Reliability of Intelligent Environments. The presented paper is entitled: Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer.

Ingénierie
1  sur  20
Télécharger pour lire hors ligne
Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer Fulvio CORNO, Luigi DE RUSSIS, and Luca MANNELLA e-Lite Research Group, Politecnico di Torino, Turin, Italy WoRIE’21: June 22nd, 2021 10th Workshop On the Reliability of Intelligent Environments
OUTLINE • Introduction • Use Case Architecture Analysis • Amazon Web Services Security Analysis • Developers’ Perspective on AWS Security • Conclusions & Discussions 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 2
INTRODUCTION • Research Question: Is a Cloud-IoT platform secure when is used by a Novice IoT Programmer? • Novice IoT Programmer • Software developer novice to the IoT world • Not novice to programming • An attractive platform for Novice IoT Programmer: Amazon Web Services • Very famous and widespread • One of the most complete cloud platform • Provides services on demand 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 3
USE CASE ARCHITECTURE ANALYSIS 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 4
A CLOUD-IOT ARCHITECTURE • Sensing devices • Acting devices • Some front-end devices • AWS cloud back-end • Manages the devices • Store data on a database • Provides some APIs for the front-end devices 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 5
MAIN COMMON ATTACK POINTS • Back-end • The developed code inside the AWS Lambda functions • The database 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 6
MAIN COMMON ATTACK POINTS • Back-end • The developed code inside the AWS Lambda functions • The database • Front-end devices • Out of the developer control 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 7
MAIN COMMON ATTACK POINTS • Back-end • The developed code inside the AWS Lambda functions • The database • Front-end devices • Out of the developer control • The data-flows between • The sensors and the back-end • The back-end and the actuators • The APIs’ gateway and the front-end devices 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 8
AMAZON WEB SERVICES SECURITY ANALYSIS 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 9
AWS ANALYSIS • Data Flow Protection • Data could be eavesdropped, tampered with, and forged • AWS requires ciphered connections with its backend • TLS for HTTP connections • IPsec using Amazon VPC • Database Protection • Requests to DB must contain a valid HMAC-SHA256 signature • DynamoDB is accessible via TLS endpoints • Data in transit are protected • By default, DynamoDB data are ciphered at rest • Fine-grained access control policies (through IAM) 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 10
AWS ACCOUNT PROTECTION • Two different types of account • Root user • Identity and Access Management (IAM) users • Created by Root user • An account with customizable privileges • Weakness in Amazon’s policies • Users not forced to create IAM accounts • Password policy is vulnerable to dictionary attacks • E.g.: a password like “Amaz0nWS” is accepted 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 11
DEVELOPERS’ PERSPECTIVE ON AWS SECURITY 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 12
OUR NOVICE PROGRAMMERS • Developers from a consulting engineering company in Italy • They were starting their first Cloud-IoT professional project • They have to work on AWS for the first time • They had just followed a short Cloud-IoT course • That has a final project to deliver • After the course we asked to fulfill the survey • 6 out of 9 attendees from the Cloud-IoT Course (all males) 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 13
DEVELOPER’S PERCEPTION • They feel to be inexperienced about cybersecurity • 5 out of 6 answer 1/5; the other answer 2/5 • Who is in charge of the security of what you developed on AWS? • 2 out of 6 => “Entirely the developer” • 4 out of 6 => “Both developer and AWS” • All think the architecture could include security issues • no one acted to mitigate the security problems in his mind 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 14
DEVELOPER’S PERCEPTION ABOUT THE ARCHITECTURE SECURITY • The most secure point • AWS DynamoDB Database • The less secure point • The data flows between back-end and sensors/actuators • The most critical points 1. Data flows to the actuators 2. The back-end code on AWS Lambda 3. Data flows from the sensors to the backend • The worst consequences 1. Cyber-physical attacks 2. A Data Breach 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 15
SECURITY BEST PRACTICES • They all created “strong” passwords • Dictionary attacks? • Only 1 out of 6 created a IAM account • 2 out of 5 specified they should have • 4 out of 6 did not check if they were using TLS • 5 out of 6 did not check if DB data at rest are encrypted or not • No one used an additional service to improve security • E.g., AWS IoT Device Defender 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 16
CONCLUSIONS & FUTURE WORKS 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 17
CONCLUSIONS • Even professionals does not feel comfortable in cybersecurity • Novice in IoT, not Novice Programmers • Knowing that security is important is not enough to act • 2 out of 6 answer: “security is a responsibility of the developer” • all thought the architecture could be insecure • no one acted to mitigate the problem • AWS is a good choice for implementing a secure Clout-IoT solution • Even for a novice programmer • Suggestions for AWS: • forcing users to create at least one IAM account • password policy should avoid basic dictionary attack 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 18
FUTURE WORKS • Having a survey on a larger sample of Novice IoT Programmers • Analyzing other specifical aspects and platform • E.g., Arduino devices • Provide best practices and tools for developing more reliable IoT systems 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 19
THANK YOU FOR YOUR KIND ATTENTION! ANY QUESTIONS? 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA Fulvio Corno Luigi De Russis Luca Mannella 20

Recommandé

IoT security compliance checklist
IoT security compliance checklistIoT security compliance checklist
IoT security compliance checklistGoWitek Consulting Pvt.Ltd
 
Aws IoT and robotics reinvent attendee guide 2021
Aws IoT and robotics reinvent attendee guide 2021Aws IoT and robotics reinvent attendee guide 2021
Aws IoT and robotics reinvent attendee guide 2021Anthony Charbonnier
 
Entreprises : découvrez les briques essentielles d’une solution IoT
Entreprises : découvrez les briques essentielles d’une solution IoTEntreprises : découvrez les briques essentielles d’une solution IoT
Entreprises : découvrez les briques essentielles d’une solution IoTScaleway
 
IoT Security: Problems, Challenges and Solutions
IoT Security: Problems, Challenges and SolutionsIoT Security: Problems, Challenges and Solutions
IoT Security: Problems, Challenges and SolutionsLiwei Ren任力偉
 
IoT architecture
IoT architectureIoT architecture
IoT architectureSumit Sharma
 
WSO2 Platform Introduction
WSO2 Platform IntroductionWSO2 Platform Introduction
WSO2 Platform IntroductionWSO2
 
IoT Broker
IoT BrokerIoT Broker
IoT BrokerFIWARE
 
Arm the World with SPN based Security
Arm the World with SPN based SecurityArm the World with SPN based Security
Arm the World with SPN based SecurityLiwei Ren任力偉
 

Recommandé

IoT security compliance checklist
IoT security compliance checklistIoT security compliance checklist
IoT security compliance checklistGoWitek Consulting Pvt.Ltd
 
Aws IoT and robotics reinvent attendee guide 2021
Aws IoT and robotics reinvent attendee guide 2021Aws IoT and robotics reinvent attendee guide 2021
Aws IoT and robotics reinvent attendee guide 2021Anthony Charbonnier
 
Entreprises : découvrez les briques essentielles d’une solution IoT
Entreprises : découvrez les briques essentielles d’une solution IoTEntreprises : découvrez les briques essentielles d’une solution IoT
Entreprises : découvrez les briques essentielles d’une solution IoTScaleway
 
IoT Security: Problems, Challenges and Solutions
IoT Security: Problems, Challenges and SolutionsIoT Security: Problems, Challenges and Solutions
IoT Security: Problems, Challenges and SolutionsLiwei Ren任力偉
 
IoT architecture
IoT architectureIoT architecture
IoT architectureSumit Sharma
 
WSO2 Platform Introduction
WSO2 Platform IntroductionWSO2 Platform Introduction
WSO2 Platform IntroductionWSO2
 
IoT Broker
IoT BrokerIoT Broker
IoT BrokerFIWARE
 
Arm the World with SPN based Security
Arm the World with SPN based SecurityArm the World with SPN based Security
Arm the World with SPN based SecurityLiwei Ren任力偉
 
Developing Applications with the IoT Button - DevDay Austin 2017
Developing Applications with the IoT Button - DevDay Austin 2017Developing Applications with the IoT Button - DevDay Austin 2017
Developing Applications with the IoT Button - DevDay Austin 2017Amazon Web Services
 
Using FIWARE and Microsoft Azure for the development of IoT solutions
Using FIWARE and Microsoft Azure for the development of IoT solutionsUsing FIWARE and Microsoft Azure for the development of IoT solutions
Using FIWARE and Microsoft Azure for the development of IoT solutionsDunavNET
 
WSO2 IoT Server and Device Cloud
WSO2 IoT Server and Device CloudWSO2 IoT Server and Device Cloud
WSO2 IoT Server and Device CloudWSO2
 
Keepler | IoT Analytics & AI on Edge Computing
Keepler | IoT Analytics & AI on Edge ComputingKeepler | IoT Analytics & AI on Edge Computing
Keepler | IoT Analytics & AI on Edge ComputingKeepler Data Tech
 
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)Codit
 
Cloud Security @ TIM - Current Practises and Future Challanges
Cloud Security @ TIM - Current Practises and Future ChallangesCloud Security @ TIM - Current Practises and Future Challanges
Cloud Security @ TIM - Current Practises and Future ChallangesMichele Vecchione
 
Ccl basics
Ccl basicsCcl basics
Ccl basicsSameer Tathare
 
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for business
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for businessCreator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for business
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for businessPaul Evans
 
Octoblu, the IoT platform
Octoblu, the IoT platformOctoblu, the IoT platform
Octoblu, the IoT platformLudovic Bouvier
 
Cloud Customer Architecture for IoT
Cloud Customer Architecture for IoTCloud Customer Architecture for IoT
Cloud Customer Architecture for IoTCloud Standards Customer Council
 
Using an Open Source RESTful Backend for IoT Applications
Using an Open Source RESTful Backend for IoT ApplicationsUsing an Open Source RESTful Backend for IoT Applications
Using an Open Source RESTful Backend for IoT ApplicationsJan Liband
 
Cybesecurity of the IoT
Cybesecurity of the IoTCybesecurity of the IoT
Cybesecurity of the IoTAltoros
 
IoT and Alexa in the connected home
IoT and Alexa in the connected homeIoT and Alexa in the connected home
IoT and Alexa in the connected homeAmazon Web Services
 
Data, Big Data and real time analytics for Connected Devices
Data, Big Data and real time analytics for Connected DevicesData, Big Data and real time analytics for Connected Devices
Data, Big Data and real time analytics for Connected DevicesSrinath Perera
 
IoT security reference architecture
IoT security reference architectureIoT security reference architecture
IoT security reference architectureElias Hasnat
 
Windows for Raspberry Pi 2 Makers (and more!)
Windows for Raspberry Pi 2 Makers (and more!)Windows for Raspberry Pi 2 Makers (and more!)
Windows for Raspberry Pi 2 Makers (and more!)Guy Barrette
 
The truth about IoT field gateways (Sam Vanhoutte @IoT Convention Europe 2017)
The truth about IoT field gateways (Sam Vanhoutte @IoT Convention Europe 2017) The truth about IoT field gateways (Sam Vanhoutte @IoT Convention Europe 2017)
The truth about IoT field gateways (Sam Vanhoutte @IoT Convention Europe 2017) Codit
 
IoT Day 2019 Naples - Microsoft Azure Shpere
IoT Day 2019 Naples - Microsoft Azure ShpereIoT Day 2019 Naples - Microsoft Azure Shpere
IoT Day 2019 Naples - Microsoft Azure ShpereMirco Vanini
 
Creator IoT Framework
Creator IoT FrameworkCreator IoT Framework
Creator IoT FrameworkPaul Evans
 
Creating an Internet of Everything
Creating an Internet of Everything Creating an Internet of Everything
Creating an Internet of Everything AllSeen Alliance
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
 
The Future of Cloud Networking is VMware NSX (Danish VMUG edition)
The Future of Cloud Networking is VMware NSX (Danish VMUG edition)The Future of Cloud Networking is VMware NSX (Danish VMUG edition)
The Future of Cloud Networking is VMware NSX (Danish VMUG edition)Scott Lowe
 

Contenu connexe

Tendances

Developing Applications with the IoT Button - DevDay Austin 2017
Developing Applications with the IoT Button - DevDay Austin 2017Developing Applications with the IoT Button - DevDay Austin 2017
Developing Applications with the IoT Button - DevDay Austin 2017Amazon Web Services
 
Using FIWARE and Microsoft Azure for the development of IoT solutions
Using FIWARE and Microsoft Azure for the development of IoT solutionsUsing FIWARE and Microsoft Azure for the development of IoT solutions
Using FIWARE and Microsoft Azure for the development of IoT solutionsDunavNET
 
WSO2 IoT Server and Device Cloud
WSO2 IoT Server and Device CloudWSO2 IoT Server and Device Cloud
WSO2 IoT Server and Device CloudWSO2
 
Keepler | IoT Analytics & AI on Edge Computing
Keepler | IoT Analytics & AI on Edge ComputingKeepler | IoT Analytics & AI on Edge Computing
Keepler | IoT Analytics & AI on Edge ComputingKeepler Data Tech
 
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)Codit
 
Cloud Security @ TIM - Current Practises and Future Challanges
Cloud Security @ TIM - Current Practises and Future ChallangesCloud Security @ TIM - Current Practises and Future Challanges
Cloud Security @ TIM - Current Practises and Future ChallangesMichele Vecchione
 
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for business
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for businessCreator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for business
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for businessPaul Evans
 
Octoblu, the IoT platform
Octoblu, the IoT platformOctoblu, the IoT platform
Octoblu, the IoT platformLudovic Bouvier
 
Using an Open Source RESTful Backend for IoT Applications
Using an Open Source RESTful Backend for IoT ApplicationsUsing an Open Source RESTful Backend for IoT Applications
Using an Open Source RESTful Backend for IoT ApplicationsJan Liband
 
Cybesecurity of the IoT
Cybesecurity of the IoTCybesecurity of the IoT
Cybesecurity of the IoTAltoros
 
IoT and Alexa in the connected home
IoT and Alexa in the connected homeIoT and Alexa in the connected home
IoT and Alexa in the connected homeAmazon Web Services
 
Data, Big Data and real time analytics for Connected Devices
Data, Big Data and real time analytics for Connected DevicesData, Big Data and real time analytics for Connected Devices
Data, Big Data and real time analytics for Connected DevicesSrinath Perera
 
IoT security reference architecture
IoT security reference architectureIoT security reference architecture
IoT security reference architectureElias Hasnat
 
Windows for Raspberry Pi 2 Makers (and more!)
Windows for Raspberry Pi 2 Makers (and more!)Windows for Raspberry Pi 2 Makers (and more!)
Windows for Raspberry Pi 2 Makers (and more!)Guy Barrette
 
The truth about IoT field gateways (Sam Vanhoutte @IoT Convention Europe 2017)
The truth about IoT field gateways (Sam Vanhoutte @IoT Convention Europe 2017) The truth about IoT field gateways (Sam Vanhoutte @IoT Convention Europe 2017)
The truth about IoT field gateways (Sam Vanhoutte @IoT Convention Europe 2017) Codit
 
IoT Day 2019 Naples - Microsoft Azure Shpere
IoT Day 2019 Naples - Microsoft Azure ShpereIoT Day 2019 Naples - Microsoft Azure Shpere
IoT Day 2019 Naples - Microsoft Azure ShpereMirco Vanini
 
Creator IoT Framework
Creator IoT FrameworkCreator IoT Framework
Creator IoT FrameworkPaul Evans
 
Creating an Internet of Everything
Creating an Internet of Everything Creating an Internet of Everything
Creating an Internet of Everything AllSeen Alliance
 

Tendances (20)

Developing Applications with the IoT Button - DevDay Austin 2017
Developing Applications with the IoT Button - DevDay Austin 2017Developing Applications with the IoT Button - DevDay Austin 2017
Developing Applications with the IoT Button - DevDay Austin 2017
 
Using FIWARE and Microsoft Azure for the development of IoT solutions
Using FIWARE and Microsoft Azure for the development of IoT solutionsUsing FIWARE and Microsoft Azure for the development of IoT solutions
Using FIWARE and Microsoft Azure for the development of IoT solutions
 
WSO2 IoT Server and Device Cloud
WSO2 IoT Server and Device CloudWSO2 IoT Server and Device Cloud
WSO2 IoT Server and Device Cloud
 
Keepler | IoT Analytics & AI on Edge Computing
Keepler | IoT Analytics & AI on Edge ComputingKeepler | IoT Analytics & AI on Edge Computing
Keepler | IoT Analytics & AI on Edge Computing
 
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
 
Cloud Security @ TIM - Current Practises and Future Challanges
Cloud Security @ TIM - Current Practises and Future ChallangesCloud Security @ TIM - Current Practises and Future Challanges
Cloud Security @ TIM - Current Practises and Future Challanges
 
Ccl basics
Ccl basicsCcl basics
Ccl basics
 
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for business
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for businessCreator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for business
Creator Ci40 IoT kit & Framework - scalable LWM2M IoT dev platform for business
 
Octoblu, the IoT platform
Octoblu, the IoT platformOctoblu, the IoT platform
Octoblu, the IoT platform
 
Cloud Customer Architecture for IoT
Cloud Customer Architecture for IoTCloud Customer Architecture for IoT
Cloud Customer Architecture for IoT
 
Using an Open Source RESTful Backend for IoT Applications
Using an Open Source RESTful Backend for IoT ApplicationsUsing an Open Source RESTful Backend for IoT Applications
Using an Open Source RESTful Backend for IoT Applications
 
Cybesecurity of the IoT
Cybesecurity of the IoTCybesecurity of the IoT
Cybesecurity of the IoT
 
IoT and Alexa in the connected home
IoT and Alexa in the connected homeIoT and Alexa in the connected home
IoT and Alexa in the connected home
 
Data, Big Data and real time analytics for Connected Devices
Data, Big Data and real time analytics for Connected DevicesData, Big Data and real time analytics for Connected Devices
Data, Big Data and real time analytics for Connected Devices
 
IoT security reference architecture
IoT security reference architectureIoT security reference architecture
IoT security reference architecture
 
Windows for Raspberry Pi 2 Makers (and more!)
Windows for Raspberry Pi 2 Makers (and more!)Windows for Raspberry Pi 2 Makers (and more!)
Windows for Raspberry Pi 2 Makers (and more!)
 
The truth about IoT field gateways (Sam Vanhoutte @IoT Convention Europe 2017)
The truth about IoT field gateways (Sam Vanhoutte @IoT Convention Europe 2017) The truth about IoT field gateways (Sam Vanhoutte @IoT Convention Europe 2017)
The truth about IoT field gateways (Sam Vanhoutte @IoT Convention Europe 2017)
 
IoT Day 2019 Naples - Microsoft Azure Shpere
IoT Day 2019 Naples - Microsoft Azure ShpereIoT Day 2019 Naples - Microsoft Azure Shpere
IoT Day 2019 Naples - Microsoft Azure Shpere
 
Creator IoT Framework
Creator IoT FrameworkCreator IoT Framework
Creator IoT Framework
 
Creating an Internet of Everything
Creating an Internet of Everything Creating an Internet of Everything
Creating an Internet of Everything
 

Similaire à Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer

Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
 
The Future of Cloud Networking is VMware NSX (Danish VMUG edition)
The Future of Cloud Networking is VMware NSX (Danish VMUG edition)The Future of Cloud Networking is VMware NSX (Danish VMUG edition)
The Future of Cloud Networking is VMware NSX (Danish VMUG edition)Scott Lowe
 
Cloud 2.0: Containers, Microservices and Cloud Hybridization
Cloud 2.0: Containers, Microservices and Cloud HybridizationCloud 2.0: Containers, Microservices and Cloud Hybridization
Cloud 2.0: Containers, Microservices and Cloud HybridizationMark Hinkle
 
The Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYCThe Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYCPatrick Sklodowski
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016Shannon Lietz
 
Micro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMicro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMiki Lombardi
 
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA PhiladelphiaThe Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA PhiladelphiaPatrick Sklodowski
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Zero Trust Run-time Kubernetes Security made easy with AccuKnox
Zero Trust Run-time Kubernetes Security made easy with AccuKnoxZero Trust Run-time Kubernetes Security made easy with AccuKnox
Zero Trust Run-time Kubernetes Security made easy with AccuKnoxAccuKnox
 
(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop
(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop
(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshopPriyanka Aash
 
Why cloud native matters
Why cloud native mattersWhy cloud native matters
Why cloud native mattersCheryl Hung
 
Reactive Fast Data & the Data Lake with Akka, Kafka, Spark
Reactive Fast Data & the Data Lake with Akka, Kafka, SparkReactive Fast Data & the Data Lake with Akka, Kafka, Spark
Reactive Fast Data & the Data Lake with Akka, Kafka, SparkTodd Fritz
 
InfoSec 2011: Crash Course Open Source Cloud Computing
InfoSec 2011: Crash Course Open Source Cloud ComputingInfoSec 2011: Crash Course Open Source Cloud Computing
InfoSec 2011: Crash Course Open Source Cloud ComputingMark Hinkle
 
Executive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of ContainersExecutive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of ContainersNVISIA
 
Kubernetes and Container Technologies from Cloud Native Computing Foundation
Kubernetes and Container Technologies from Cloud Native Computing FoundationKubernetes and Container Technologies from Cloud Native Computing Foundation
Kubernetes and Container Technologies from Cloud Native Computing FoundationCloud Standards Customer Council
 
The Future of Cloud Networking is VMware NSX
The Future of Cloud Networking is VMware NSXThe Future of Cloud Networking is VMware NSX
The Future of Cloud Networking is VMware NSXScott Lowe
 
John Merline - How make your cloud SASE
John Merline - How make your cloud SASE John Merline - How make your cloud SASE
John Merline - How make your cloud SASE AWS Chicago
 
Dutchcontainerdays
DutchcontainerdaysDutchcontainerdays
Dutchcontainerdays4bakker
 
Discover - Securing Your Hybrid Cloud
Discover - Securing Your Hybrid CloudDiscover - Securing Your Hybrid Cloud
Discover - Securing Your Hybrid CloudLaurenWendler
 

Similaire à Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer (20)

Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
 
The Future of Cloud Networking is VMware NSX (Danish VMUG edition)
The Future of Cloud Networking is VMware NSX (Danish VMUG edition)The Future of Cloud Networking is VMware NSX (Danish VMUG edition)
The Future of Cloud Networking is VMware NSX (Danish VMUG edition)
 
Cloud 2.0: Containers, Microservices and Cloud Hybridization
Cloud 2.0: Containers, Microservices and Cloud HybridizationCloud 2.0: Containers, Microservices and Cloud Hybridization
Cloud 2.0: Containers, Microservices and Cloud Hybridization
 
The Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYCThe Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYC
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
 
Micro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMicro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - Plansoft
 
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA PhiladelphiaThe Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Zero Trust Run-time Kubernetes Security made easy with AccuKnox
Zero Trust Run-time Kubernetes Security made easy with AccuKnoxZero Trust Run-time Kubernetes Security made easy with AccuKnox
Zero Trust Run-time Kubernetes Security made easy with AccuKnox
 
(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop
(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop
(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop
 
Why cloud native matters
Why cloud native mattersWhy cloud native matters
Why cloud native matters
 
Reactive Fast Data & the Data Lake with Akka, Kafka, Spark
Reactive Fast Data & the Data Lake with Akka, Kafka, SparkReactive Fast Data & the Data Lake with Akka, Kafka, Spark
Reactive Fast Data & the Data Lake with Akka, Kafka, Spark
 
InfoSec 2011: Crash Course Open Source Cloud Computing
InfoSec 2011: Crash Course Open Source Cloud ComputingInfoSec 2011: Crash Course Open Source Cloud Computing
InfoSec 2011: Crash Course Open Source Cloud Computing
 
Executive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of ContainersExecutive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of Containers
 
Kubernetes and Container Technologies from Cloud Native Computing Foundation
Kubernetes and Container Technologies from Cloud Native Computing FoundationKubernetes and Container Technologies from Cloud Native Computing Foundation
Kubernetes and Container Technologies from Cloud Native Computing Foundation
 
The Future of Cloud Networking is VMware NSX
The Future of Cloud Networking is VMware NSXThe Future of Cloud Networking is VMware NSX
The Future of Cloud Networking is VMware NSX
 
John Merline - How make your cloud SASE
John Merline - How make your cloud SASE John Merline - How make your cloud SASE
John Merline - How make your cloud SASE
 
Dutchcontainerdays
DutchcontainerdaysDutchcontainerdays
Dutchcontainerdays
 
Discover - Securing Your Hybrid Cloud
Discover - Securing Your Hybrid CloudDiscover - Securing Your Hybrid Cloud
Discover - Securing Your Hybrid Cloud
 

Dernier

Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptNANDHAKUMARA10
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...SUHANI PANDEY
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfRagavanV2
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfEr. Suman Jyoti
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptMsecMca
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXssuser89054b
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 

Dernier (20)

Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
NFPA 5000 2024 standard .
NFPA 5000 2024 standard .NFPA 5000 2024 standard .
NFPA 5000 2024 standard .
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdf
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 

Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer

  • 1. Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer Fulvio CORNO, Luigi DE RUSSIS, and Luca MANNELLA e-Lite Research Group, Politecnico di Torino, Turin, Italy WoRIE’21: June 22nd, 2021 10th Workshop On the Reliability of Intelligent Environments
  • 2. OUTLINE • Introduction • Use Case Architecture Analysis • Amazon Web Services Security Analysis • Developers’ Perspective on AWS Security • Conclusions & Discussions 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 2
  • 3. INTRODUCTION • Research Question: Is a Cloud-IoT platform secure when is used by a Novice IoT Programmer? • Novice IoT Programmer • Software developer novice to the IoT world • Not novice to programming • An attractive platform for Novice IoT Programmer: Amazon Web Services • Very famous and widespread • One of the most complete cloud platform • Provides services on demand 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 3
  • 4. USE CASE ARCHITECTURE ANALYSIS 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 4
  • 5. A CLOUD-IOT ARCHITECTURE • Sensing devices • Acting devices • Some front-end devices • AWS cloud back-end • Manages the devices • Store data on a database • Provides some APIs for the front-end devices 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 5
  • 6. MAIN COMMON ATTACK POINTS • Back-end • The developed code inside the AWS Lambda functions • The database 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 6
  • 7. MAIN COMMON ATTACK POINTS • Back-end • The developed code inside the AWS Lambda functions • The database • Front-end devices • Out of the developer control 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 7
  • 8. MAIN COMMON ATTACK POINTS • Back-end • The developed code inside the AWS Lambda functions • The database • Front-end devices • Out of the developer control • The data-flows between • The sensors and the back-end • The back-end and the actuators • The APIs’ gateway and the front-end devices 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 8
  • 9. AMAZON WEB SERVICES SECURITY ANALYSIS 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 9
  • 10. AWS ANALYSIS • Data Flow Protection • Data could be eavesdropped, tampered with, and forged • AWS requires ciphered connections with its backend • TLS for HTTP connections • IPsec using Amazon VPC • Database Protection • Requests to DB must contain a valid HMAC-SHA256 signature • DynamoDB is accessible via TLS endpoints • Data in transit are protected • By default, DynamoDB data are ciphered at rest • Fine-grained access control policies (through IAM) 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 10
  • 11. AWS ACCOUNT PROTECTION • Two different types of account • Root user • Identity and Access Management (IAM) users • Created by Root user • An account with customizable privileges • Weakness in Amazon’s policies • Users not forced to create IAM accounts • Password policy is vulnerable to dictionary attacks • E.g.: a password like “Amaz0nWS” is accepted 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 11
  • 12. DEVELOPERS’ PERSPECTIVE ON AWS SECURITY 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 12
  • 13. OUR NOVICE PROGRAMMERS • Developers from a consulting engineering company in Italy • They were starting their first Cloud-IoT professional project • They have to work on AWS for the first time • They had just followed a short Cloud-IoT course • That has a final project to deliver • After the course we asked to fulfill the survey • 6 out of 9 attendees from the Cloud-IoT Course (all males) 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 13
  • 14. DEVELOPER’S PERCEPTION • They feel to be inexperienced about cybersecurity • 5 out of 6 answer 1/5; the other answer 2/5 • Who is in charge of the security of what you developed on AWS? • 2 out of 6 => “Entirely the developer” • 4 out of 6 => “Both developer and AWS” • All think the architecture could include security issues • no one acted to mitigate the security problems in his mind 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 14
  • 15. DEVELOPER’S PERCEPTION ABOUT THE ARCHITECTURE SECURITY • The most secure point • AWS DynamoDB Database • The less secure point • The data flows between back-end and sensors/actuators • The most critical points 1. Data flows to the actuators 2. The back-end code on AWS Lambda 3. Data flows from the sensors to the backend • The worst consequences 1. Cyber-physical attacks 2. A Data Breach 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 15
  • 16. SECURITY BEST PRACTICES • They all created “strong” passwords • Dictionary attacks? • Only 1 out of 6 created a IAM account • 2 out of 5 specified they should have • 4 out of 6 did not check if they were using TLS • 5 out of 6 did not check if DB data at rest are encrypted or not • No one used an additional service to improve security • E.g., AWS IoT Device Defender 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 16
  • 17. CONCLUSIONS & FUTURE WORKS 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 17
  • 18. CONCLUSIONS • Even professionals does not feel comfortable in cybersecurity • Novice in IoT, not Novice Programmers • Knowing that security is important is not enough to act • 2 out of 6 answer: “security is a responsibility of the developer” • all thought the architecture could be insecure • no one acted to mitigate the problem • AWS is a good choice for implementing a secure Clout-IoT solution • Even for a novice programmer • Suggestions for AWS: • forcing users to create at least one IAM account • password policy should avoid basic dictionary attack 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 18
  • 19. FUTURE WORKS • Having a survey on a larger sample of Novice IoT Programmers • Analyzing other specifical aspects and platform • E.g., Arduino devices • Provide best practices and tools for developing more reliable IoT systems 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 19
  • 20. THANK YOU FOR YOUR KIND ATTENTION! ANY QUESTIONS? 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA Fulvio Corno Luigi De Russis Luca Mannella 20