Ensuring Connected Devices Are SecureAaron Guzman of OWASP Says IoT Security Basics Are Improving
The emergence of the Mirai botnet four years ago created a wave of worry over how increasing numbers of internet-connected devices could be abused by cybercriminals.
See Also: Business Case for PAM Playbook for CISOs
Mirai's malicious code was designed to take advantage of weak or default credentials in digital video recorders, routers and CCTV cameras. Then, the commandeered devices were used to launch staggering distributed denial-of-service attacks (see: Mirai Botnet Pummels Internet DNS in Unprecedented Attack).
"I definitely see at least the IoT security landscape progressing in many different ways, especially in certain industry sectors," Guzman says. "The awareness of Mirai and the impact of insecure devices really hit home for some companies, some organizations, manufacturers and even federally."
Guzman is one of many experts working to create tools to better evaluate the security of connected devices and embed security into software design processes. OWASP and other organizations are working on specifications and methods for evaluating and securing connected devices.
"With all the awareness and all the interest, several communities have created a kind of 'call to action' and essentially put together their own flavors of what you should do to ensure your IoT devices are secure," Guzman says.
In this video interview with Information Security Media Group, Guzman discusses:
- The security challenges around IoT devices connected to cloud services;
- How OWASP is creating tools and methods to help organizations test and secure connected devices on their own;
- Whether a global IoT security standard will be developed.
Guzman is the lead for OWASP's IoT and Embedded AppSec Project as well as its Firmware Security Testing Methodology project. He's an expert in web application security and is a technical leader with Cisco's Meraki unit.