表紙
市場調査レポート

コネクテッドシステム向けアプリケーションの安全保証

Securing Applications for Connected Systems

発行 VDC Research Group, Inc. 商品コード 320983
出版日 ページ情報 英文 14 Pages
納期: 即日から翌営業日
価格
本日の銀行送金レート: 1USD=102.18円で換算しております。
Back to Top
コネクテッドシステム向けアプリケーションの安全保証 Securing Applications for Connected Systems
出版日: 2014年12月05日 ページ情報: 英文 14 Pages
概要

当レポートでは、モノのインターネット(IoT)において、コネクテッドシステム上で実装されるアプリケーションの安全保障に用いられる製品・サービスについて議論・分析しており、主な戦略的課題、動向、およびこれらソリューションの市場に影響を及ぼす要因についての議論、技術タイプ、製品カテゴリーおよび産業区分全体の市場分析と重要な検討事項などをまとめ、お届け致します。

エグゼクティブサマリー

  • 主な調査結果

アプリケーションセキュリティの重要性

  • アプリケーションセキュリティソリューション
  • ハッシュ化
  • コードサイニング
  • ルート・オブ・トラスト(信頼のルート)
  • リモート認証・直接匿名認証
  • ブラックリスティング
  • ホワイトリスティング
  • アプリケーションサンドボクシング
  • アプリケーションラッピング
  • セキュアアップデートディストリビューション

アプリケーションの安全なアップデート

アプリケーションの安全な稼働

見解&洞察

本書について

目次

This report discusses and analyzes products and services used to secure applications deployed on connected systems in the Internet of Things (IoT). It also discusses key strategic issues, trends, and other factors impacting the market for these solutions. Market analysis and critical considerations are offered across technology types, product categories, and industry sectors. The report integrates selected findings from VDC's recent connected systems survey of OEM embedded device engineers as well as systems integrators, IT administrators, and executives. (Full survey data is provided as a separate Excel spreadsheet.)

What questions are addressed?

  • Why is application protection critical for connected devices and systems?
  • What are the different technologies available to secure applications, and what are the strengths and weaknesses of each?
  • Who are the leading vendors of application security technologies, and how are they positioned relative to each other?
  • What factors are impacting the adoption of new or augmented application security solutions?

Who should read this report?

  • This report will benefit OEM system architects, hardware engineers, software developers, project leaders, product managers, and executives responsible for embedded and IT systems, as well as product managers, marketers, and engineers at vendors offering security products and services to the OEM and IT communities.

Executive Summary

Applications running in connected devices and systems are exposed to numerous attack vectors. Many security solutions are available to reduce security threats to embedded applications, although the threats are ever-evolving, necessitating periodic updates of applications. Not only must these applications operate securely, they must be updated securely. And their devices need to manage security such that rogue applications or malware cannot compromise the functionality of connected devices and systems. VDC recently conducted a survey of engineers and implementers to gauge the current state of application security in embedded systems.

Key Findings

  • Application updating through local networks is still more common than updating via the Internet for connected devices.
  • The average connected device receives 2.7 updates per year.
  • The most popular methods of securing application updates are encryption of the software/firmware package and digital signatures.
  • Solutions to run applications securely, such as blacklisting and whitelisting, are less prevalent in embedded systems than the solutions to update applications securely, which presents a security risk for the embedded industry.

The Importance of Application Security

For connected systems in the IoT, software applications reside at multiple levels:

  • Within the embedded devices at the edge of the network
  • Within local control devices (e.g. gateways and programmable logic controllers)
  • Within centralized or cloud-based systems for device and data management

Within connected systems, applications are the top-level software that control what the devices do, as well as what the systems do with the data collected. To a large extent, applications are the raisons d'être of the systems; that is, people and companies acquire embedded systems to acquire the functions of their applications. As such, application security is critical to proper operations of the devices and to the privacy and security of their data.

Application security can be compromised at many points of attack. For example:

  • An application might be accessed by unauthorized users or machines
  • An application itself might be replaced with a substitute version containing malware that redirects or corrupts its functionality and/or data
  • An application might be attacked directly by another malware application
  • An application might be starved of system resources, such as memory or CPU cycles, by malware residing within the system

In addition, application security is only as good as the quality of its source code. Development techniques like automated static code analysis can greatly reduce security-related vulnerabilities, such as susceptibility to SQL injection and buffer overflows, which may be inherent within applications. (VDC extensively covers secure coding practices in other reports, so we won't delve further into that topic here.)

In many embedded devices and local control devices, software applications are limited to those written by the original design team, installed at the factory, and updated in tightly controlled environments. But in enterprise systems with employee bring-your-own-device policies (BYODs), the mobile devices in their native states are intentionally designed to load third-party applications from app stores. (Apple's App Store and Google's Play Store for Android each have more than a million apps, many of which are not developed with security in mind.) With BYODs, failed application security could permit malware on the mobile devices to not only compromise the devices but also to access sensitive enterprise data and services to which the user might be authorized. Therefore, extra application security measures are needed for applications in the mobile enterprise environment.

For connected systems, application security cannot be viewed in isolation because many components - starting with the processors and the operating systems - interact to form the system and impact the security of its elements. Nevertheless, a range of solutions is specifically designed to establish, maintain, and monitor the security of applications in connected systems.

Idea's & Insights

The types of application security examined in this report focus on distributing and launching application software/firmware in a secure manner and insuring that only authorized applications are run in connected devices and systems. However, these factors are largely independent of the degree to which the applications actually operate securely, due to the possible presence of coding errors and vulnerabilities in the design of the applications themselves. Therefore, even if application deployment is secure, OEMs, software developers, and systems integrators still need to practice good coding hygiene through methods such as static code analysis, fuzz testing, and penetration testing. Needless to say, secure distribution of unsecure code is an incomplete solution. Complete application security requires attention to every level of detail that might impact security.

However, in VDC's view, an important factor hindering application security is that trusted computing hardware technologies (such as hardware Roots of Trust and Trusted Execution Environments) are currently underutilized in connected devices and systems. Nearly every Intel x86 CPU shipped in the recent years contains a Trusted Platform Module, and nearly every ARM Cortex-A CPU core contains a TrustZone that can serve such functions. VDC estimates that, collectively, about 3 billion CPUs have been shipped with these hardware technologies, yet few applications use them today. Most embedded software developers have little or no experience developing code for them. For application security to improve in the face of increasing IoT connectivity and the accompanying hacking threats, the embedded industry would do well to increase implementation of software for its hardware solutions that already exist.

About this Report

VDC Research's i2: ideas & insights reports provide clients with deep insights into product, market, channel, and competitive strategies and tactics. Using deep and rich datasets based on extensive primary research, the i2 reports provide clients with the insights they need to make strategic decisions for their business about the markets they are in and the markets they want to be in. Coverage includes a combination of market sizing, segmentation, forecasting, end-user requirements analysis, competitive analysis, and more.

Table of Contents

Executive Summary

  • Key Findings

The Importance of Application Security

  • Application Security Solutions
  • Hashes
  • Code Signing
  • Root of Trust
  • Remote Attestation and Direct Anonymous Attestation
  • Blacklisting
  • Whitelisting
  • Application Sandboxing
  • App Wrapping
  • Secure Update Distribution

Secure Updating of Applications

  • Exhibit 1: Distribution of Software/Firmware via Network Type (multiple responses permitted)
  • Exhibit 2: Update Frequencies for Software/Firmware in Connected Devices and Systems
  • Exhibit 3: Types of Security Used in Updating Applications (multiple responses permitted)

Running Applications Securely

  • Exhibit 4: Types of Embedded Security Used in Updating Applications (multiple responses permitted)
  • Exhibit 5: Use of App Wrapping in Managed Security Services
  • Exhibit 6: Importance of Remote Attestation (1=not at all important, 5=extremely important)

Ideas & Insights

About this Report

Back to Top