26 Aug IoT Security – the Security Development Lifecycle Way
e all know, whether from experience or just intuitively, that bolting security on an IoT product after much of the development has been completed is a total rookie mistake, and a recipe for disaster. Yet this still happens. By crowdfunded startups who don’t mention security in their videos, to internal teams in larger enterprises who also emphasise the bling in order to get their project greenlit from within. In this episode of the IoT Business Show I speak with Chris Romeo about the Security Development Lifecycle, the polar opposite to the bolt-on, that’s been successfully used in IT security for years.
In this episode of the IoT Business Show I speak with Chris Romeo about the Security Development Lifecycle, the polar opposite to the bolt-on, that’s been successfully used in IT security for years.
Chris is Chief Executive Officer at Security Journey, where he’s made it his mission to change the security culture of organizations – big and small. He has 20 years of experience in security, including the areas of application security, penetration testing, and incident response.
The Security Development Lifecycle (SDL) approach incorporates security into each step of the software development process with explicit best practices and steps to be taken during the requirements, design, development, testing and release phases of the software development cycle. While a lot of experts will point to “Security by Design” as the best of the best practices, SDL is a superset of that. Security by Design is done in the second phase, design, after the security requirements have been defined. A lot of pundits, myself included, tout the virtues of external security testing or pen testing as another best of best practices. Well, that’s included during the testing phase. Risk assessment? Check. Done during the requirements phase. An incidence response handbook? Yep, it’s there as part of the release phase. I like SDL, not because of its innovation or sexiness, but like pilot’s checklist followed before takeoff, it’s a thorough and safe process that should be blindly followed by every security practitioner working in IoT today.
Here’s What We’ll Cover in this Episode
- Why startups do minimally viable security in IoT.
- Each step of the Security Development Cycle.
- What security frameworks are and where they are used.
- Attach surfaces simply defined.
- The huge challenge with security keys.
- Two important security products to use – one during development and the other during testing.
- The too often forgotten fatal error when using open source.
- The role of security researchers.
- The role of cryptographic signatures.
Mentioned in this Episode and Other Useful Links
Support this Podcast
If you have been enjoying this podcast, there are a few ways you can support it:
Have an opinion? Join the discussion in our LinkedIn group
Have you seen any successful non-traditional business models work in consumer IoT?Click here if you have an opinion on this podcast or want to see the opinion of others