SlideShare une entreprise Scribd logo

Practical approaches to IoT security

Télécharger en tant que PPTX, PDF
T
Tony Wilson

Presentation describing practical approaches to IoT security for consumers and developers.

Petites entreprises & entrepreunariat
1  sur  16
+ Practical Approaches to IoT Security Tony Wilson, CISSP
+ Agenda  About Me  Current State of IoT  Current Threat Landscape  Practical Security Options  Consumers  Developers  Putting it All Together  Q & A  Appendix  Resources  Missteps from Popular IoT Security Fails
+ About Me  10+ years cyber security and compliance experience  Expertise in Threat Intelligence and Incident Response  Currently geeking out on machine learning and home cyber security  My hobbies include fitness activities, fantasy sports, travel and television / movies
+ Current State of IoT  Maximum hype  Growing number of devices  High visibility of security limitations  What is the tipping point?  There is no incentive for security until consumers demand it  Confluence of ability, opportunity and motivation
+ Current Threat Landscape  Barrier to entry is low  Malware as a service  Vectors of choice  Phishing  Watering holes / exploit kits  Attack de jour  Ransomware  As the traditional landscape becomes more fortified, attacks will shift more to IoT devices  “Old vulnerabilities with new capabilities” - Bruce Shneier  “We might use the internet of things to spy on you” - US intelligence chief  Stay ahead of the herd
+ Practical Security Options: Consumers  Product selection  Consider not being an early adopter  Choose brands you trust  Proven track records  Certified by standards bodies  Choose products that are patchable  Adopt general security best practices  Unique passwords, multi-factor authentication  Smartphone security  Beef up home security  Update / replace ISP provided router  Firewall  Segmentation  Nextgen gateways (limited options for home users)  User Behavior Analytics (Cujo)
+ Commercial Improvements are Necessary to Make Progress  Better hardware at lower costs  Trade-offs  + security --> + processing power  + processing power --> + $, + packaging, + battery  May be viable for devices like appliances, but not disposables  Standards  Developer-focused  Fragmented, adoption still lacking  Consumer-focused  Sparse
+ Practical Security Options: Developers  Align security investment with your brand  Examples  Volvo  Integration of safety (i.e. security) by design  Adobe (Flash)  Reactive approach to security
+ Practical Security Options: Developers  Educate yourself about key elements of IoT security  OWASP Top 10  Adopt a framework or standard  Frameworks  NIST CPS, IoTivity/OIC, GSMA  Standards  Alljoyn, Thread, OTrP
+ Practical Security Options: Developers  Integrate security into your SDLC  DevOps can facilitate automation  Automated testing  Static analysis  Third party testing  Traditional bug bounties  Crowdsourced testing  Bugcrowd, Applause
+ Profile Objective: Create prototype Security budget: $0 - $1000 Security experience: Limited Project timeline: 3-6 months Education Hardware /Software SDLC Code Review Security Posture • OWASP Top 10 • BeagleBone Black • Ubuntu Core (Snappy) • C/C++ • Agile • Define security requirements upfront • Test iteratively • Static analysis • Clang, Cppcheck, Flawfinder, RATS, Splint, Yasca • Crowdsourced testing: Bugcrowd • Not likely to be susceptible to common attacks • Well positioned to transition to a secure production device Putting it All Together
+ Closing Thoughts  Baby steps  Progress, not perfection
+ Q & A tonywilsonjunior@gmail.com
+ Resources  OWASP  https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Main  Standards and frameworks  Thread  http://threadgroup.org/  Alljoyn / Allseen  https://allseenalliance.org/  Industrial Internet Reference Architecture  http://www.iiconsortium.org/IIRA.htm  IEEE P2413  https://standards.ieee.org/develop/project/2413.html  Apple homekit  https://developer.apple.com/homekit/  IoTivity  https://www.iotivity.org/  NIST CPS PWG Cyber-Physical Systems (CPS) Framework Release 1.0  https://pages.nist.gov/cpspwg/  GSMA  http://www.gsma.com/connectedliving/future-iot-networks/iot-security-guidelines/
+ Resources  Crowd testing  Bugcrowd  https://bugcrowd.com/  Applause  https://www.applause.com/security-testing/  Static analysis  NIST compilation of tools  https://samate.nist.gov/index.php/Source_Code_Security_Analyz ers.html
+ Missteps from Popular IoT Security Fails Device Attack Vector • Bluetooth Smartlocks • Open locks • Static/default passwords • Poor standard implementation • Jeep Cherokee • Remote operation • Denial of service • Guessable Wi-Fi password (entry point) • Tesla Model S • Unauthorized operation • Denial of service • Physical security • Unpatched OS • Barbie • Eavesdropping • Unpatched server • Weak app authentication • Baby monitors • Spying • Privacy invasion • Verbal abuse • Default passwords • Guessable account numbers • Lack of encryption • Sniper Rifle • Denial of service • Sabotage • Default password

Recommandé

451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?Adrian Sanabria
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 
Application Security Webcast
Application Security WebcastApplication Security Webcast
Application Security WebcastVlad Styran
 
IoT Security Foundation launch 23 Sept 2015 16-9ratio
IoT Security Foundation launch 23 Sept 2015 16-9ratioIoT Security Foundation launch 23 Sept 2015 16-9ratio
IoT Security Foundation launch 23 Sept 2015 16-9ratioJohn Moor
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsAdrian Sanabria
 

Recommandé

451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?Adrian Sanabria
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 
Application Security Webcast
Application Security WebcastApplication Security Webcast
Application Security WebcastVlad Styran
 
IoT Security Foundation launch 23 Sept 2015 16-9ratio
IoT Security Foundation launch 23 Sept 2015 16-9ratioIoT Security Foundation launch 23 Sept 2015 16-9ratio
IoT Security Foundation launch 23 Sept 2015 16-9ratioJohn Moor
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsAdrian Sanabria
 
[CB16] Keynote: How much security is too much? by Karsten Nohl
[CB16] Keynote: How much security is too much? by Karsten Nohl[CB16] Keynote: How much security is too much? by Karsten Nohl
[CB16] Keynote: How much security is too much? by Karsten NohlCODE BLUE
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfAdrian Sanabria
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
State of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderState of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderBen Johnson
 
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...CODE BLUE
 
Community IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Innovators
 
Cyber security innovation imho
Cyber security innovation imhoCyber security innovation imho
Cyber security innovation imhoW Fred Seigneur
 
Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To IDERA Software
 
Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsYour Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsWSO2
 
terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433Terry Gilsenan
 
Core define and_win_cmd_line gr
Core define and_win_cmd_line grCore define and_win_cmd_line gr
Core define and_win_cmd_line grFrancisco Anastácio
 
Tim Nolan
Tim NolanTim Nolan
Tim Nolantimnolan1961
 
The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015Major Hayden
 
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainWhy You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainEC-Council
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Robi Sen
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...TruShield Security Solutions
 
The Current State of Cybersecurity
The Current State of CybersecurityThe Current State of Cybersecurity
The Current State of CybersecurityTruShield Security Solutions
 
Building a Mobile Security Model
Building a Mobile Security Model Building a Mobile Security Model
Building a Mobile Security Model tmbainjr131
 
Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeMalware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeStephen Cobb
 
Blueprint for creating a Secure IoT Product
Blueprint for creating a Secure IoT ProductBlueprint for creating a Secure IoT Product
Blueprint for creating a Secure IoT ProductGuy Vinograd ☁
 
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Mauro Risonho de Paula Assumpcao
 

Contenu connexe

Tendances

[CB16] Keynote: How much security is too much? by Karsten Nohl
[CB16] Keynote: How much security is too much? by Karsten Nohl[CB16] Keynote: How much security is too much? by Karsten Nohl
[CB16] Keynote: How much security is too much? by Karsten NohlCODE BLUE
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfAdrian Sanabria
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
State of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderState of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderBen Johnson
 
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...CODE BLUE
 
Community IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Innovators
 
Cyber security innovation imho
Cyber security innovation imhoCyber security innovation imho
Cyber security innovation imhoW Fred Seigneur
 
Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To IDERA Software
 
Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsYour Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsWSO2
 
terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433Terry Gilsenan
 
The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015Major Hayden
 
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainWhy You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainEC-Council
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Robi Sen
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...TruShield Security Solutions
 
Building a Mobile Security Model
Building a Mobile Security Model Building a Mobile Security Model
Building a Mobile Security Model tmbainjr131
 
Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeMalware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeStephen Cobb
 

Tendances (20)

[CB16] Keynote: How much security is too much? by Karsten Nohl
[CB16] Keynote: How much security is too much? by Karsten Nohl[CB16] Keynote: How much security is too much? by Karsten Nohl
[CB16] Keynote: How much security is too much? by Karsten Nohl
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard Of
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
State of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderState of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry Insider
 
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
 
Community IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for Nonprofits
 
Cyber security innovation imho
Cyber security innovation imhoCyber security innovation imho
Cyber security innovation imho
 
Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To
 
Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsYour Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of Things
 
terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433
 
Core define and_win_cmd_line gr
Core define and_win_cmd_line grCore define and_win_cmd_line gr
Core define and_win_cmd_line gr
 
Tim Nolan
Tim NolanTim Nolan
Tim Nolan
 
The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015
 
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainWhy You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
 
The Current State of Cybersecurity
The Current State of CybersecurityThe Current State of Cybersecurity
The Current State of Cybersecurity
 
Building a Mobile Security Model
Building a Mobile Security Model Building a Mobile Security Model
Building a Mobile Security Model
 
Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeMalware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
 

En vedette

Blueprint for creating a Secure IoT Product
Blueprint for creating a Secure IoT ProductBlueprint for creating a Secure IoT Product
Blueprint for creating a Secure IoT ProductGuy Vinograd ☁
 
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Mauro Risonho de Paula Assumpcao
 
IoT Security Elements
IoT Security ElementsIoT Security Elements
IoT Security ElementsEurotech
 
IoT End-to-End Security Overview
IoT End-to-End Security OverviewIoT End-to-End Security Overview
IoT End-to-End Security OverviewAmazon Web Services
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT securityJulien Vermillard
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of ThingsForgeRock
 
Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016Erez Metula
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesPierluigi Paganini
 

En vedette (10)

Blueprint for creating a Secure IoT Product
Blueprint for creating a Secure IoT ProductBlueprint for creating a Secure IoT Product
Blueprint for creating a Secure IoT Product
 
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
 
IoT Security Elements
IoT Security ElementsIoT Security Elements
IoT Security Elements
 
IoT End-to-End Security Overview
IoT End-to-End Security OverviewIoT End-to-End Security Overview
IoT End-to-End Security Overview
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of Things
 
Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016
 
Overview of IoT and Security issues
Overview of IoT and Security issuesOverview of IoT and Security issues
Overview of IoT and Security issues
 
IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issues
 

Similaire à Practical approaches to IoT security

Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking BadNUS-ISS
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...John Kinsella
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSAmazon Web Services
 
AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011dma1965
 
LPWAN London Meetup: Securing your IoT products
LPWAN London Meetup: Securing your IoT productsLPWAN London Meetup: Securing your IoT products
LPWAN London Meetup: Securing your IoT productsDigital Catapult
 
IoT Security and Privacy Considerations
IoT Security and Privacy ConsiderationsIoT Security and Privacy Considerations
IoT Security and Privacy ConsiderationsKenny Huang Ph.D.
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Internet of Things... Let's Not Forget Security Please!, by Eric Vyncke [APNI...
Internet of Things... Let's Not Forget Security Please!, by Eric Vyncke [APNI...Internet of Things... Let's Not Forget Security Please!, by Eric Vyncke [APNI...
Internet of Things... Let's Not Forget Security Please!, by Eric Vyncke [APNI...APNIC
 
Internet of Things... Let's Not Forget Security Please, by Eric Vyncke [APNI...
Internet of Things... Let's Not Forget Security Please, by Eric Vyncke [APNI...Internet of Things... Let's Not Forget Security Please, by Eric Vyncke [APNI...
Internet of Things... Let's Not Forget Security Please, by Eric Vyncke [APNI...APNIC
 
Fundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentFundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentMark Szewczul, CISSP
 
dataProtection_p3.ppt
dataProtection_p3.pptdataProtection_p3.ppt
dataProtection_p3.pptssusera76ea9
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxtmbainjr131
 
IoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalIoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalFrank Siepmann
 

Similaire à Practical approaches to IoT security (20)

Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
 
Product Security
Product SecurityProduct Security
Product Security
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
 
OWASP
OWASPOWASP
OWASP
 
AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011
 
LPWAN London Meetup: Securing your IoT products
LPWAN London Meetup: Securing your IoT productsLPWAN London Meetup: Securing your IoT products
LPWAN London Meetup: Securing your IoT products
 
IoT Security and Privacy Considerations
IoT Security and Privacy ConsiderationsIoT Security and Privacy Considerations
IoT Security and Privacy Considerations
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Internet of Things... Let's Not Forget Security Please!, by Eric Vyncke [APNI...
Internet of Things... Let's Not Forget Security Please!, by Eric Vyncke [APNI...Internet of Things... Let's Not Forget Security Please!, by Eric Vyncke [APNI...
Internet of Things... Let's Not Forget Security Please!, by Eric Vyncke [APNI...
 
Internet of Things... Let's Not Forget Security Please, by Eric Vyncke [APNI...
Internet of Things... Let's Not Forget Security Please, by Eric Vyncke [APNI...Internet of Things... Let's Not Forget Security Please, by Eric Vyncke [APNI...
Internet of Things... Let's Not Forget Security Please, by Eric Vyncke [APNI...
 
Fundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentFundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product Development
 
dataProtection_p3.ppt
dataProtection_p3.pptdataProtection_p3.ppt
dataProtection_p3.ppt
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptx
 
IoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalIoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 final
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 

Dernier

FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607dollysharma2066
 
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...Escorts service
 
How Multicultural Toys Helps in Child Development.pptx
How Multicultural Toys Helps in Child Development.pptxHow Multicultural Toys Helps in Child Development.pptx
How Multicultural Toys Helps in Child Development.pptxDiversity In Toys
 
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdf
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdfEnabling Business Users to Interpret Data Through Self-Service Analytics (2).pdf
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdfSmartinfologiks
 
Supply Chain Location Decision and Management
Supply Chain Location Decision and ManagementSupply Chain Location Decision and Management
Supply Chain Location Decision and Managementirahtarando
 
Dàni Velvet Personal Brand Exploration (1).pptx
Dàni Velvet Personal Brand Exploration (1).pptxDàni Velvet Personal Brand Exploration (1).pptx
Dàni Velvet Personal Brand Exploration (1).pptxdmtillman
 
Famedesired Project portfolio1 . Fullsail
Famedesired Project portfolio1 . FullsailFamedesired Project portfolio1 . Fullsail
Famedesired Project portfolio1 . Fullsailfergusonamani
 
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893Health
 
Indian Call girl in Dubai 0508644382 Dubai Call girls
Indian Call girl in Dubai 0508644382 Dubai Call girlsIndian Call girl in Dubai 0508644382 Dubai Call girls
Indian Call girl in Dubai 0508644382 Dubai Call girlsMonica Sydney
 
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...ZurliaSoop
 
CARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDC
CARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDCCARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDC
CARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDCFikrie Omar
 
EXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSES
EXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSESEXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSES
EXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSESMotiveflikr Media
 
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.inEV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.inStartupSprouts.in
 
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...StartupSprouts.in
 
How to structure your pitch - B4i template
How to structure your pitch - B4i templateHow to structure your pitch - B4i template
How to structure your pitch - B4i templateFerruccio Martinelli
 

Dernier (15)

FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377087607
 
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...
JAIPUR CALL GIRLS SERVICE REAL HOT SEXY 👯 CALL GIRLS IN JAIPUR BOOK YOUR DREA...
 
How Multicultural Toys Helps in Child Development.pptx
How Multicultural Toys Helps in Child Development.pptxHow Multicultural Toys Helps in Child Development.pptx
How Multicultural Toys Helps in Child Development.pptx
 
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdf
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdfEnabling Business Users to Interpret Data Through Self-Service Analytics (2).pdf
Enabling Business Users to Interpret Data Through Self-Service Analytics (2).pdf
 
Supply Chain Location Decision and Management
Supply Chain Location Decision and ManagementSupply Chain Location Decision and Management
Supply Chain Location Decision and Management
 
Dàni Velvet Personal Brand Exploration (1).pptx
Dàni Velvet Personal Brand Exploration (1).pptxDàni Velvet Personal Brand Exploration (1).pptx
Dàni Velvet Personal Brand Exploration (1).pptx
 
Famedesired Project portfolio1 . Fullsail
Famedesired Project portfolio1 . FullsailFamedesired Project portfolio1 . Fullsail
Famedesired Project portfolio1 . Fullsail
 
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893
+971565801893>>Safe and original mtp kit for sale in Dubai>>+971565801893
 
Indian Call girl in Dubai 0508644382 Dubai Call girls
Indian Call girl in Dubai 0508644382 Dubai Call girlsIndian Call girl in Dubai 0508644382 Dubai Call girls
Indian Call girl in Dubai 0508644382 Dubai Call girls
 
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...
Jual Obat Aborsi Bojonegoro ( Asli No.1 ) 085657271886 Obat Penggugur Kandung...
 
CARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDC
CARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDCCARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDC
CARA BINA PENDAPATAN PASIF HARIAN RM9000 BERMODALKAN RM30 DI TDC
 
EXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSES
EXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSESEXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSES
EXPERIENCE THE FUTURE OF WORK FOR FUTURE OF BUSINESSES
 
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.inEV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
 
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
 
How to structure your pitch - B4i template
How to structure your pitch - B4i templateHow to structure your pitch - B4i template
How to structure your pitch - B4i template
 

Practical approaches to IoT security

  • 1. + Practical Approaches to IoT Security Tony Wilson, CISSP
  • 2. + Agenda  About Me  Current State of IoT  Current Threat Landscape  Practical Security Options  Consumers  Developers  Putting it All Together  Q & A  Appendix  Resources  Missteps from Popular IoT Security Fails
  • 3. + About Me  10+ years cyber security and compliance experience  Expertise in Threat Intelligence and Incident Response  Currently geeking out on machine learning and home cyber security  My hobbies include fitness activities, fantasy sports, travel and television / movies
  • 4. + Current State of IoT  Maximum hype  Growing number of devices  High visibility of security limitations  What is the tipping point?  There is no incentive for security until consumers demand it  Confluence of ability, opportunity and motivation
  • 5. + Current Threat Landscape  Barrier to entry is low  Malware as a service  Vectors of choice  Phishing  Watering holes / exploit kits  Attack de jour  Ransomware  As the traditional landscape becomes more fortified, attacks will shift more to IoT devices  “Old vulnerabilities with new capabilities” - Bruce Shneier  “We might use the internet of things to spy on you” - US intelligence chief  Stay ahead of the herd
  • 6. + Practical Security Options: Consumers  Product selection  Consider not being an early adopter  Choose brands you trust  Proven track records  Certified by standards bodies  Choose products that are patchable  Adopt general security best practices  Unique passwords, multi-factor authentication  Smartphone security  Beef up home security  Update / replace ISP provided router  Firewall  Segmentation  Nextgen gateways (limited options for home users)  User Behavior Analytics (Cujo)
  • 7. + Commercial Improvements are Necessary to Make Progress  Better hardware at lower costs  Trade-offs  + security --> + processing power  + processing power --> + $, + packaging, + battery  May be viable for devices like appliances, but not disposables  Standards  Developer-focused  Fragmented, adoption still lacking  Consumer-focused  Sparse
  • 8. + Practical Security Options: Developers  Align security investment with your brand  Examples  Volvo  Integration of safety (i.e. security) by design  Adobe (Flash)  Reactive approach to security
  • 9. + Practical Security Options: Developers  Educate yourself about key elements of IoT security  OWASP Top 10  Adopt a framework or standard  Frameworks  NIST CPS, IoTivity/OIC, GSMA  Standards  Alljoyn, Thread, OTrP
  • 10. + Practical Security Options: Developers  Integrate security into your SDLC  DevOps can facilitate automation  Automated testing  Static analysis  Third party testing  Traditional bug bounties  Crowdsourced testing  Bugcrowd, Applause
  • 11. + Profile Objective: Create prototype Security budget: $0 - $1000 Security experience: Limited Project timeline: 3-6 months Education Hardware /Software SDLC Code Review Security Posture • OWASP Top 10 • BeagleBone Black • Ubuntu Core (Snappy) • C/C++ • Agile • Define security requirements upfront • Test iteratively • Static analysis • Clang, Cppcheck, Flawfinder, RATS, Splint, Yasca • Crowdsourced testing: Bugcrowd • Not likely to be susceptible to common attacks • Well positioned to transition to a secure production device Putting it All Together
  • 12. + Closing Thoughts  Baby steps  Progress, not perfection
  • 14. + Resources  OWASP  https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Main  Standards and frameworks  Thread  http://threadgroup.org/  Alljoyn / Allseen  https://allseenalliance.org/  Industrial Internet Reference Architecture  http://www.iiconsortium.org/IIRA.htm  IEEE P2413  https://standards.ieee.org/develop/project/2413.html  Apple homekit  https://developer.apple.com/homekit/  IoTivity  https://www.iotivity.org/  NIST CPS PWG Cyber-Physical Systems (CPS) Framework Release 1.0  https://pages.nist.gov/cpspwg/  GSMA  http://www.gsma.com/connectedliving/future-iot-networks/iot-security-guidelines/
  • 15. + Resources  Crowd testing  Bugcrowd  https://bugcrowd.com/  Applause  https://www.applause.com/security-testing/  Static analysis  NIST compilation of tools  https://samate.nist.gov/index.php/Source_Code_Security_Analyz ers.html
  • 16. + Missteps from Popular IoT Security Fails Device Attack Vector • Bluetooth Smartlocks • Open locks • Static/default passwords • Poor standard implementation • Jeep Cherokee • Remote operation • Denial of service • Guessable Wi-Fi password (entry point) • Tesla Model S • Unauthorized operation • Denial of service • Physical security • Unpatched OS • Barbie • Eavesdropping • Unpatched server • Weak app authentication • Baby monitors • Spying • Privacy invasion • Verbal abuse • Default passwords • Guessable account numbers • Lack of encryption • Sniper Rifle • Denial of service • Sabotage • Default password

Notes de l'éditeur

  1. 5.4B connected devices today, by 2020, 20-50B total devices Attack landscape growing not just by amount of devices, but software running on them (multiple OS’s) With known issues, why isn’t anyone panicking? Most publicized attacks have been hypothetical or sensationalized Ability and opportunity exist in spades, but many attackers lack motivation to target IoT and will always choose the path of least resistance High degree of success with attack vectors such as phishing and watering holes
  2. Many applications integrate with smartphones, so if that is compromised, it can have a cascading impact
  3. Heavy lifting can’t be done by startups Many IoT offerings will require high volume and low margins, so investments in better hardware to improve security are unlikely Embedded security requires greater processing power Powerful processors are more expensive, need bigger packaging and require more battery power Larger and more expensive batteries and processors are not ideal for disposable devices I’ll speak more on standards later
  4. Despite lack of many major IoT security events to date, it is evident that security will have to be addressed sooner rather than later. Think about how security fits into your brand and product vision
  5. If you’re already familiar with security and just need direction, take a look at the OWASP top 10 Provides examples and guidelines If you need a more holistic approach, adopt an existing framework and/or standard Standards are primarily focused on interoperability. Some include complete frameworks
  6. Even if you have a small budget or limited security expertise, you have options Some crowd testing offers you the flexibility to pay for bounties, or give “kudos”
  7. Example of someone with limited budget and security experience that needs to hit the ground running Education OWASP Top 10 will allow you to focus on most common mistakes Hardware / Software BeagleBone Black Powerful, affordable Ability to extend with CryptoCape for more demanding security applications Ubuntu Core (Snappy) Designed with security in mind Isolated components (kernel, OS, gadget, app) Security profiles Patchable Strong dev community SDLC Whether you choose traditional waterfall, iterative, agile, or other SDLC, just merely adopting any SDLC that considers security requirements and testing throughout will leave you well positioned for success. Having reviewed the OWASP Top 10 already will help you define security requirements. Code Review There are many free static analysis tools for C and C++. You can incorporate multiple tools, or focus on those that specialize in areas you feel least comfortable (e.g. memory management) For dynamic/extended testing options, Leverage crowdsourced testing and offer kudos. Security Posture Good chance of avoiding mistakes that attackers commonly go after, such as vectors referenced in the appendix for publicized attacks Easier transition to production since security requirements have already been considered in the design of the prototype Your commitment to security can grow as your resources grow