Securing Applications for Connected Systems
|発行||VDC Research Group, Inc.||商品コード||320983|
|出版日||ページ情報||英文 14 Pages
|コネクテッドシステム向けアプリケーションの安全保証 Securing Applications for Connected Systems|
|出版日: 2014年12月05日||ページ情報: 英文 14 Pages||
This report discusses and analyzes products and services used to secure applications deployed on connected systems in the Internet of Things (IoT). It also discusses key strategic issues, trends, and other factors impacting the market for these solutions. Market analysis and critical considerations are offered across technology types, product categories, and industry sectors. The report integrates selected findings from VDC's recent connected systems survey of OEM embedded device engineers as well as systems integrators, IT administrators, and executives. (Full survey data is provided as a separate Excel spreadsheet.)
Applications running in connected devices and systems are exposed to numerous attack vectors. Many security solutions are available to reduce security threats to embedded applications, although the threats are ever-evolving, necessitating periodic updates of applications. Not only must these applications operate securely, they must be updated securely. And their devices need to manage security such that rogue applications or malware cannot compromise the functionality of connected devices and systems. VDC recently conducted a survey of engineers and implementers to gauge the current state of application security in embedded systems.
Within connected systems, applications are the top-level software that control what the devices do, as well as what the systems do with the data collected. To a large extent, applications are the raisons d'être of the systems; that is, people and companies acquire embedded systems to acquire the functions of their applications. As such, application security is critical to proper operations of the devices and to the privacy and security of their data.
In addition, application security is only as good as the quality of its source code. Development techniques like automated static code analysis can greatly reduce security-related vulnerabilities, such as susceptibility to SQL injection and buffer overflows, which may be inherent within applications. (VDC extensively covers secure coding practices in other reports, so we won't delve further into that topic here.)
In many embedded devices and local control devices, software applications are limited to those written by the original design team, installed at the factory, and updated in tightly controlled environments. But in enterprise systems with employee bring-your-own-device policies (BYODs), the mobile devices in their native states are intentionally designed to load third-party applications from app stores. (Apple's App Store and Google's Play Store for Android each have more than a million apps, many of which are not developed with security in mind.) With BYODs, failed application security could permit malware on the mobile devices to not only compromise the devices but also to access sensitive enterprise data and services to which the user might be authorized. Therefore, extra application security measures are needed for applications in the mobile enterprise environment.
For connected systems, application security cannot be viewed in isolation because many components - starting with the processors and the operating systems - interact to form the system and impact the security of its elements. Nevertheless, a range of solutions is specifically designed to establish, maintain, and monitor the security of applications in connected systems.
The types of application security examined in this report focus on distributing and launching application software/firmware in a secure manner and insuring that only authorized applications are run in connected devices and systems. However, these factors are largely independent of the degree to which the applications actually operate securely, due to the possible presence of coding errors and vulnerabilities in the design of the applications themselves. Therefore, even if application deployment is secure, OEMs, software developers, and systems integrators still need to practice good coding hygiene through methods such as static code analysis, fuzz testing, and penetration testing. Needless to say, secure distribution of unsecure code is an incomplete solution. Complete application security requires attention to every level of detail that might impact security.
However, in VDC's view, an important factor hindering application security is that trusted computing hardware technologies (such as hardware Roots of Trust and Trusted Execution Environments) are currently underutilized in connected devices and systems. Nearly every Intel x86 CPU shipped in the recent years contains a Trusted Platform Module, and nearly every ARM Cortex-A CPU core contains a TrustZone that can serve such functions. VDC estimates that, collectively, about 3 billion CPUs have been shipped with these hardware technologies, yet few applications use them today. Most embedded software developers have little or no experience developing code for them. For application security to improve in the face of increasing IoT connectivity and the accompanying hacking threats, the embedded industry would do well to increase implementation of software for its hardware solutions that already exist.
VDC Research's i2: ideas & insights reports provide clients with deep insights into product, market, channel, and competitive strategies and tactics. Using deep and rich datasets based on extensive primary research, the i2 reports provide clients with the insights they need to make strategic decisions for their business about the markets they are in and the markets they want to be in. Coverage includes a combination of market sizing, segmentation, forecasting, end-user requirements analysis, competitive analysis, and more.