27 November 2019

This ENISA study introduces good practices for IoT security, with a particular focus on software development guidelines for secure IoT products and services throughout their lifetime. Establishing secure development guidelines across the IoT ecosystem, is a fundamental building block for IoT security.

By providing good practices on how to secure the IoT software development process, this study tackles one aspect for achieving security by design, a key recommendation that was highlighted in the ENISA Baseline Security Recommendations study which focused on the security of the IoT ecosystem from a horizontal point of view. Software lies at the core of every IoT system and service, enabling their functionality and providing value added features.

The firmware of IoT devices, implementations of IoT communication protocols and stacks, Operating Systems (OSs) for IoT products, Application Programming Interfaces (APIs) supporting interoperability and connectivity of different IoT services, IoT device drivers, backend IoT cloud and virtualization software, as well as software implementing different IoT service functionalities, are some examples of how software provides essence to IoT.

Due consideration to supply chain issues, including integration of software and hardware, is given. Making use of secure Software Development Life Cycle (SDLC) principles is an effective and proactive means to avoid vulnerabilities in IoT and thus assist in developing software applications and services in a secure manner. Several security challenges of the IoT can be addressed by establishing a baseline of secure development guidelines, such as checking for security vulnerabilities, secure deployment, ensuring continuity of secure development in cases of integrators, continuous delivery etc.

It is therefore important to analyze the relevant IoT cybersecurity threats and accordingly to set forward security measures and specific secure development guidelines to avoid common software vulnerabilities deriving from insecure practices that might be followed throughout the SDLC (requirements analysis, software design, software development, implementation, deployment, integration, maintenance and disposal).