TEL: 044-952-0102


Building Secure Connected Devices

発行 VDC Research Group, Inc. 商品コード 301563
出版日 ページ情報 英文 19 Pages; 30 Exhibits
納期: 即日から翌営業日
本日の銀行送金レート: 1USD=111.05円で換算しております。
Back to Top
安全な接続デバイスの構築 Building Secure Connected Devices
出版日: 2014年05月08日 ページ情報: 英文 19 Pages; 30 Exhibits



  • 主な調査結果



  • 調査対象となったほぼ全てのOEMが現在はいくつかの接続製品を製造
  • ローカルエリアネットワーク(LAN)機能は依然としてインターネットまたはクラウドよりも普及
  • 有線イーサネットは最も普及している接続


  • 幅広く導入されているコード分析ツール
  • コード分析ツール向けベンダーを選択する要因
  • 活用されていないファズテスト
  • 侵入テストは一般的だが、ユニバーサルではない
  • 侵入テスト:OEM vs. IT管理者


  • 暗号化・認証は最も一般的なセキュリティ機能
  • セキュリティ機能ベンダーを選択する要因


  • セキュリティが製品化までの時間を増やす
  • セキュリティ機能がデバイス価格を上昇させる
  • 収益性に対する中立の影響




Inside this Report

This report discusses and analyzes best practices to design and build secure connected embedded devices. Market analyses and critical considerations will be offered across technology types, product categories, and industry sectors. The report integrates selected findings from VDC's recent security survey of OEM embedded device engineers.

What questions are addressed ?

  • What steps should engineers take to build secure devices?
  • What commercial technologies are OEMs using to address security requirements, and what are the selection criteria for those solutions?
  • How are the roles of OEM engineers evolving to address security?
  • What factors are most important in the selection of security solutions vendors?
  • How is the need for security impacting OEMs' businesses?

Executive Summary

Embedded device connectivity is at the core of the Internet of Things, and security risks come along with the territory. OEMs must integrate security procedures, such as code analysis and penetration testing, in their product development processes, and they must add security features to their products. Nearly every aspect of an embedded device can be protected by one or more security solutions, but no individual solution should be considered impenetrable. And the need for security increases time-to-market and engineering costs, although most OEMs are able to compensate by increasing their prices.

[Data available in full report]

Key Findings

  • XX% of OEMs surveyed have connectivity in at least some of their embedded devices, although wired connections and local networking are still more prevalent than wireless connections and Internet- and cloud-based connectivity.
  • More than XX% of OEMs surveyed already use static code analysis tools in their software development organizations.
  • Less than half of OEMs conduct penetration tests on their products, and only one quarter conduct fuzz testing.
  • Authentication and encryption are the most commonly employed security features in embedded devices.
  • Security has a relatively neutral impact on OEM profitability.

Introduction: Security as Table Stakes

Several years ago, device functionality was enough to sell embedded products in most vertical markets. Of course there were exceptions, such as critical infrastructure, aviation, and military, for which security was always of importance. But today's environment has evolved on two fronts. First, end users across nearly all verticals are demanding Internet connectivity to access and control devices as well as to aggregate and analyze data. Second, the magnitude of security threats has exploded, driven by hackers of both the troublemaker and money-seeker varieties, and fueled by the increasingly complex nature of systems that are ever more challenging to protect.

Prospective buyers of embedded devices and systems are now demanding security, without which salespeople for OEMs might not even be able to get a foot in the door. The more sophisticated buyers are asking detailed technical questions about security that often require multiple rounds of engineering-level responses. In some markets, such as industrial automation, OEMs face a barrage of security questions from both IT and operations departments, making OEMs' security tasks doubly difficult. And in markets involving sensitive personal or financial data, such as medicine and banking, government regulations mandate new levels of device security that may change periodically, requiring security modifications to existing systems. Engineers at many OEMs are confronting these security challenges for the first time, either proactively in planning for new products or reactively in response to breaches that have occurred in their products. Without having security experts on staff, they may not know how to address security concerns. Due to cost pressures, they may opt to roll their own security solutions at the risk of either reinventing the wheel or missing important vulnerabilities. Even OEMs who have successfully handled device security in the past may be faced by new threats and vulnerabilities introduced through cloud-based data storage and device control. Embedded devices are no longer standalone entities; they are elements of systems, the security of which may only be partially under the control of the device maker.

Connectivity Implies Vulnerability

No device connected to the public Internet should be considered impenetrable simply because impenetrability is impossible to prove. The best one can hope for is proof that no currently known method has yet penetrated the device in a publicly disclosed manner. (The device may in fact be impenetrable, but device makers set themselves up for potential breaches and greater damage from breaches if they assume impenetrability.)

As we noted in a prior VDC View document entitled “Secure Hardening of Embedded Devices,” OEMs are advised to apply multiple levels of security to their connected devices under the assumption that device perimeters may be virtually penetrated. In this report, we examine how OEMs actually go about securing their embedded devices in the context of connected systems.

In March and April 2014, VDC Research conducted a survey of engineers at embedded device OEMs. (Note: the respondents to this particular survey were highly qualified engineers, so their responses may reflect higher usage rates of certain product technologies and development tools compared to the overall population of engineers.)

As shown in Exhibit 1, XX% of survey respondents said their companies make at least some products that include connectivity features. While this does not imply that XX% of all embedded products are connected, it does imply that nearly all product makers face security issues associated with connectivity.

Exhibit 1: Nearly all OEMs surveyed now making some connected products

Of course, not all connectivity is intended for the Internet, as shown in Exhibit 2. Local area networking is still the most common type of connectivity. This is particularly the case in vertical markets such as industrial automation, where the perceived security risks of Internet connectivity may outweigh the current benefits. Nevertheless, in our survey, more than half the respondents developed products designed to handle some form of Internet- or cloud-based activities, and VDC expects that portion to continue to increase considerably in the coming years.

Exhibit 2: Local area network functions still more prevalent than Internet or cloud

About this Report

VDC Research's i2: ideas & insights reports provide clients with deep insights into product, market, channel, and competitive strategies and tactics. Using deep and rich datasets based on extensive primary research, the i2 reports provide clients with the insights they need to make strategic decisions for their business about the markets they are in and the markets they want to be in. Coverage includes a combination of market sizing, segmentation, forecasting, end-user requirements analysis, competitive analysis, and more.

XX Commercial in Confidence.

Table of Contents

Executive Summary

  • Key Findings

Introduction: Security as Table Stakes

Connectivity Implies Vulnerability

  • Exhibit 1: Nearly all OEMs surveyed now making some connected products
  • Exhibit 2: Local area network functions still more prevalent than Internet or cloud
  • Exhibit 3: Wired Ethernet most prevalent connectivity

Secure Development Processes

  • Exhibit 4: Code analysis tools widely adopted
  • Exhibit 5: Factors for choosing vendors for code analysis tools
  • Exhibit 6: Fuzz testing underutilized
  • Exhibit 7: Penetration testing common, but not universal
  • Exhibit 8: Penetration testing by OEMs vs. IT administrators

Security Features

  • Exhibit 9: Encryption and authentication most popular security features
  • Exhibit 10: Factors for choosing security feature vendors

OEM Business Implications of Security

  • Exhibit 11: Security increases time-to-market
  • Exhibit 12: Security features raise device prices
  • Exhibit 13: Neutral impact on profitability

Additional Insights

Back to Top