Ecosystem, Interoperability and Standards: IoT Security - AppSecUSA 2018


Security Development Lifecycle (SDL) methodologies have traditionally served consumer products and enterprise applications. These programs are usually well defined, with established architectures, target markets and product development cycles that span months or years.

Enter the Internet of Things, where there are no pre-defined form factors. An "IoT product" may be a smart fridge, a pacemaker, or a smart city. Makers of these classes of devices are often small/medium sized businesses, who are racing against the large corporates and other similar sized competitors to launch their products first. They look for standards in communication protocols, software stacks, libraries, and reuse them wherever possible. But standards are few and rarely one-size-fits-all. When it comes to securing IoT products, there are myriad of challenges on both process and technical fronts.

Our presentation introduces the audience to a cutting-edge version of Security Development Lifecycle, called the Security & Privacy Development Lifecycle (SPDL). Tailored specifically for IoT platforms, the SPDL is an agile framework that breaks-up a "generic" IoT architecture into its logical sub-components, accounts for the security assessment activities for each of them, as well as for the entire ecosystem. Privacy is woven into the process, and privacy-specific activities are planned at each step of the SPDL. Using standard waterfall-oriented SDL methodologies for IoT programs can be challenging and messy. We talk about the shortcomings of these existing models, and how our proposed SPDL framework addresses them.

As we write this, there's extensive media coverage on companies collecting and sharing user data with third parties leading to global consequences. Compliance with privacy (for example, consent rules in GDPR) can be very challenging for IoT. We explore some of these topics, and also introduce a privacy vulnerability scoring framework (CPVSS) that can aid in measuring, prioritizing and addressing privacy breaches and data thefts.


Sumanth Naropanth
Information Security Leader - IoT, Cloud and Mobile
CEO of Deep Armor Business and technical leader in information security. Extensive experience in defining and executing security development lifecycle (SDL), hands-on penetration testing, threat modeling, conducting security research, incident response, designing crypto flows and architecting new se... Read More →

Kavya Racharla
Head of security and privacy, Intel sports - Artificial Intelligence and Virtual Reality
Kavya Racharla is the head of security and privacy for Intel's sports group. As part of her job at Intel, she has led the end-to-end SDL and privacy efforts for several AR/VR, wearable and IoT devices.


Managed by the official OWASP Media Project

Ecosystem, Interoperability and Standards: IoT Security - AppSecUSA 2018 Ecosystem, Interoperability and Standards: IoT Security - AppSecUSA 2018 Reviewed by Anonymous on November 23, 2018 Rating: 5