IoT Agenda


February 7, 2018  12:57 PM

The internet of things and SharePoint deliver business benefits

Ritesh Mehta Ritesh Mehta Profile: Ritesh Mehta
Data Management, Internet of Things, iot, IoT data, Microsoft, SharePoint

A typical Microsoft SharePoint consultant is able to draft a consultative approach for a customer by aligning with their goals and requirements. The service provider is able to provide full-service development that includes each and every part of the project lifecycle, from business process analysis and requirement study to deployment implementation and architecture design.

Pairing SharePoint with a trend

SharePoint will not be going away anytime soon. On the contrary, it will continue to be a popular platform for businesses, and SharePoint consulting firms will stay in demand. Perhaps the key is to look at the platform with a trend. To that end, consider SharePoint in terms of a trend that is been bouncing around as of late: the internet of things.

SharePoint meets IoT

People may not see the connection between SharePoint and IoT. Of course, SharePoint cannot talk to a car, factory or refrigerator. Indeed, SharePoint does not monitor or make data. But it’s a platform that can be used to display the resulting data through dashboards, store and surface data or connect data sources to the human eyes. In reality, SharePoint is naturally not affected directly by the internet of things. From a software perspective, there’s minor impact as to how the system operates. Nonetheless, there is a considerable impact on the service delivery of solutions to SharePoint. Things such as support, change management and ownership come into play. Simply because the internet of things is hyped does not mean one has to buy into the hype. When it comes to IoT projects, the key is to start out small. Furthermore, companies should stick to the best practices that they are already using when deploying any new solution, such as planning, testing and piloting.

There are important considerations when looking into SharePoint and the internet of things. For instance, it’s important to know where data feeds come from, to get the support picture figured out with responsibilities and levels of support, and set up monitoring of the performance of the platform and the data feeds performance.

SharePoint connects the workplace

Microsoft SharePoint helps an organization adapt by connecting the workplace with intelligent content management as well as intranets that provide the tools for sharing and working together, and informing and engaging people across the company. Now, it gets easier to organize the intranet in a dynamic way. What stands out among the new functionality included in hub sites is the ability of giving intranet managers the ability to combine numerous team websites, as well as communication sites, in a single place to build an intranet, which reflects how enterprises work. Even better, Microsoft designed the new hubs keeping mobile devices in mind. The SharePoint mobile application can be updated to natively render hub sites, their pages, content and news, and to provide smooth navigation between associated websites as well.

Microsoft SharePoint gives an all-in-one enterprise platform to help organizations and businesses collaborate, manage and locate information better, therefore minimizing wasted time, as well as driving up productivity.

Plenty of growth for IoT in 2018

This year will be a steady growth for IoT, with it seeing plenty of investment, lots of growth and widespread adoption, such as with SharePoint. The following are trends I see for IoT this year:

  1. IoT will grow. It will continue expanding, with more and more devices going online every single day. IoT will become the backbone of customer value as it continues to grow. In a lot of ways, the full potential of the internet of things is still being realized and it’s likely to see more of that this year.
  2. It becomes more fragmented. Just as the internet of things continues to grow, it will also be increasingly fragmented. The fragmentation will create hurdles for a lot of organizations as they deal with compatibility issues.
  3. Greater security concerns. The more complex IoT is, the more network security challenges it will encounter. True, securing all the connected devices in an environment with less regulation will be hard. Finding a way to keep IoT data safe will be the main goal this year.
  4. Mobile platforms will make more sense. The mobile-first to mobile-only trend will likely continue to grow, as mobile platforms will be the de facto management system for internet of things devices. This again is not shocking, but not finished either. IoT development is one that will happen over time as early adopters start refining, with latecomers jumping into the mix. This year will continue to see a lot of transition into mobile platform development.
  5. Marketing efforts will continue. This year will be ripe with bells, dings and whistles as customers are alerted to incentives, bargains and other news about their homes as well as offices. A growing number of companies will start to use the internet of things for more personalize marketing efforts. Also, they will get closer to finding how-much-is-too-much balance in terms of marketing.
  6. There will be plenty of money to be had. It’s predicted that business spending on the internet of things solutions will hit $6 trillion by the year 2021. It then makes sense that venture capitalists will continue pouring funds into the IoT promise, underscoring its potential to boost customer experience in almost each and every industry.

To reap the benefits, organizations may need a professional SharePoint company to find and fix problems in their existing SharePoint infrastructure or a skilled developer who can build custom websites and develop mobile-first, responsive web design projects and use IoT technologies to integrate systems and processes.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.

February 7, 2018  12:46 PM

Voice-controlled automation of logistics is now possible

Manisha Raisinghani Manisha Raisinghani Profile: Manisha Raisinghani
Automation, Ecommerce, Fleet Management, Internet of Things, iot, language, Logistics, Machine learning, retail, Technology, transport, voice

Logistics automation and streamlining requires adaptability and scalability in terms of technology-backed innovation. It is about finding the right device which can be better “enabled” through technology. We continually work on getting the right technology to further automate and improve logistics movement. We worked towards creating the best system to solve real-world problems seen in logistics and field workforce management. It took months of coding and designing, but we hit that sweet spot with voice-controlled automation of logistics processes. I am talking about conversing with machines — and having the machines converse amongst each other. The next phase of connectivity is here. Adaptation and adoption of this technology will lead to the faster evolution of services and products.

Without integration with voice assistants such as Alexa, Google Assistant, Cortana and Siri, a logistics or sales manager previously had to log into a product dashboard to check the location or the status of any in-transit delivery, vehicle or agent. Thanks to voice integration, managers can now simply relax and instruct their personal assistant to fetch the information for them.

“Alexa! Find my Truck on Route 27!”

The mechanics are a little more in-depth than that, but this is how the final statement would be. We have successfully integrated a multitude of skills within the assistant so that it can access all relevant and actionable information directly from our system and report it to the user.

“Your truck has crossed the intersection at Greenville Road moving towards its destination.”

Imagine a world where all you need to do is speak to your personal assistant about any resource or parcel and even plan a schedule around it. You can plan your deliveries while you travel in your car. You can track the exact location of any vehicle simply by asking a question. Automation of processes has reached its tipping point, and voice-controlled automation can lead you to the next level of efficiency.

Let’s consider what has been done here.

Enterprise system interactions and communication

The core issues which technology can solve within logistics processes are to enable better visibility, control and transparency across the end-to-end movement of resources. This will eventually bring down costs and increase efficiency along with profitability.

Logistics management involves mutual interactions of multiple stakeholders and services, including carrier services, third-party logistics partners, distributors, warehouse management systems, transport management systems, workforce management systems, tracking and reporting services, management information systems, enterprise resource planning systems and so forth. Information moves through multiple systems and along multiple stakeholders. There are two factors at play here:

  1. Time spent on information forwarding: There is a time cost involved with the digital or physical movement of information. This involves manual intervention time (and hence the cost of the resource) while feeding in information and reviewing analytics, and the time delay as the information moves from one system/stakeholder to another.
  2. Quality and consistency of information transfer: As the information is handed over multiple times, there are situations when the language, structure and consistency of information are affected.

The time factor and quality are related to each other. However, with voice-controlled automation, this can be minimized. Not just for reporting and analytics, the manager can initiate planning of schedules and allocate deliveries and tasks just by speaking about it. Multiple interlinking and integrations would help the personal assistant have better and faster “conversations” with other systems and give a much clearer picture about the progress, status and reports of multiple processes, and even initiate some of these processes. The authenticity of direct information passing through the system without having to go through intermediaries significantly decreases the probability of communication errors.

Process automation: Allocation, dispatch, tracking and updates

Logistics automation, as we know, has the potential to save a lot of time and cost. Saving time in processing and planning for trips and routes means that the total turnaround time for the eventual trip would be shorter. Logistics automation simplifies this process and makes logistics and resource movement simpler.

With voice-controlled automation, managers can verbally communicate their directives to the system. If they want a specific parcel to be assigned to a courier who is more well-equipped to deliver it, they can simply say it and it would be done. They are not required to search through a list of orders for the parcel and then browse through a list of available couriers to assign the same. It can all be automated by a single skill-defined command. Similarly, tracking and updates can be made much simpler with the use of such voice-controlled assistants. As we saw earlier, all it takes is for a manager to ask the right question about the location or status of any delivery and it would be reported back immediately. The agility and responsiveness gained by the quick and correct communication of information would help companies react better and faster in key situations.

Entire process visibility and transparency

There are many events that a courier, agent or vehicle undergoes while on a trip. These involve interactions with traffic, weather or the eventual customer experience. If there is a delay along an in-transit delivery which may affect the original service-level agreement (companies have SLAs which must be met, such as service or delivery time, parcel safety and speeding of delivery vehicles). These SLAs are tracked in real time. Now, if the manager wants to access the tracking and delivery updates in real time, they no longer must access the system and search the same; they can ask the assistant to do it for them.

The manager can say to the assistant, “Ask, which are my high-priority alerts?” These parameters and information calling-terms like “high priority alerts” are already defined as a skill. The assistant would talk to the core system and extract the data. The assistant would then vocalize the alert and update messages marked as high priority. These alerts would mostly cover events like extended detention of vehicles, delivery failure and other such actionable items. This increases the visibility and transparency within the system. The manager can easily pull up any relevant information and make an informed decision using the same.

Language and dialect localization in emerging markets

Logistics and field workforce optimization as a technology is developing faster in the southern Asian markets as compared to more mature markets. The tech and road infrastructure in emerging markets may come up with some bottlenecks, which would have to be overcome while sustaining logistics and delivery efficiency. The best way to handle these bottlenecks is increased visibility of operations for every stakeholder. The client at the headquarters must know which in-transit vehicles are delayed or are in breach of an SLA. A hub manager must know the ETAs of each vehicle coming into their hub so that he can play their workforce for offloading or loading. When visibility at all levels of operations is synchronized, the movement of goods become faster and more efficient.

Voice-controlled automation can make this process more agile. And the leveling marker is the language and dialect neutrality built within the personal assistant. This means that even a local hub manager can operate Alexa in his own language or dialect; there doesn’t have to be any gap in information flow due to any language barrier. This is big leap forward in true globalization of logistics and supply chain movement.

Adoption of technology across companies

Perhaps the most striking benefit of voice-controlled automation feature is product ease-of-use. Almost anyone can use the personal assistant without any hassle; it doesn’t matter if they are tech-savvy. They can have their personal assistant set up and all they have to do is ask questions when required. It has the shortest learning curve in technology-backed automation. The ease-of-use and one-stop solution point would help drive process integrations and innovation as the adoption of technology increases across the company.

Accurate and timely information transfer can help initiate appropriate actions which can, in turn, either save costs or increase efficiency or both at the same. Voice-controlled automation can be the perfect playing field where experienced individuals who prefer traditional ways due to their lack of technical expertise can now partake with their intellect and insights. The implications of such automation are beyond just numbers, it can drive a change in the way things are done and eventually result in better strategic balance within companies.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.


February 6, 2018  3:56 PM

IoT is the key to sustainability, so what’s holding it back?

Jayraj Nair Profile: Jayraj Nair
Collaboration, Energy Consumption, Internet of Things, iot, IoT applications, IoT data, Sustainability

The year has only just begun, and the U.S. has already been hit by a bomb cyclone, mudslides and multiple wildfires. Most experts agree that these incidents of extreme weather are directly linked to climate change — and the buzz around building a more sustainable world has never been louder.

Unfortunately, many companies are still underutilizing a tool that could help turn the tide when it comes to sustainability: IoT. A recent survey conducted by Wipro Digital and Forum for the Future found that IoT, data and connectivity have the potential to restore existing damage and reduce the future harmful effects of climate change.

According to the survey, 98% of business leaders believe that IoT is already contributing to a more sustainable future in some capacity. Yet, despite acknowledging IoT’s sustainability power, only half are using data and connectivity to support these efforts.

The path toward a more sustainable, connected future is not without its challenges. Such obstacles include misaligned priorities, security risks and a lack of governance or oversight. Additionally, many fear the widening of the digital divide around the world and the emergence of a “rebound effect,” meaning that the exponential rise of data and connectivity could actually strain energy supplies and create more e-waste.

Luckily, there are steps that companies can take to address these concerns.

Align priorities, strategies, and goals internally by increasing cross-departmental collaboration.

While many business leaders believe that sustainability is an important goal, many also hold a mistaken belief that sustainability efforts cannot be improved alongside more traditional business goals, such reduced costs and improved operational efficiencies. But this simply isn’t true.

One way to resolve this fallacy is to encourage interdepartmental communication. In other words, various aspects of a business need to communicate with one another to align on goals, challenges and technology implementation strategies. Doing so will create an open network and fluid exchange of information, which often leads to new ideas and innovation.

Just as every department has its own goals and priorities, each group also has a critical role to play in reducing future harmful effects on their environment. To drive companywide sustainable efforts, departments such as operations, supply chain, marketing, and research and development must share projects and budgets.

If done correctly, teams can more easily align on achievable sustainability benchmarks without the risk of undermining traditional business-related goals. Equally important, departments can share valuable data and insights that fuel IoT and connectivity.

Stress technology governance to increase open innovation and provide oversight.

When governments and businesses work together, meaningful change happens. For instance, the City Government of Buenos Aires partnered with SAP HANA and SAP Mobile to deploy IoT that can analyze data from storm drains in real time — helping prevent dangerous flooding that has burdened the city for years.

Yet the relationship between governments and businesses — especially tech companies — has always been difficult to navigate. It seems technology is evolving too fast for government standards to keep up, let alone create new regulations and oversight. While many leaders are unsure what role the government should play when it comes to managing technology’s evolution, it is becoming increasingly apparent that some level of unified tech and environmental guidelines is necessary.

Business leaders should work with the government to develop the appropriate measures to ensure that technology is channeled for the greater good. For example, the government could architect a platform that makes certain data is freely available online for public use. Doing so will help increase transparency, democracy and open innovation. This access will also help level the playing field between demographics and geographies.

Similarly, concerns over information security and privacy can also make business leaders more hesitant to throw more weight behind IoT initiatives or share their data with other organizations. Developing legislation that helps secure private information and encourage the sharing of other data is critical to the long-term success of a connected, sustainable world.

Highlight social responsibility to create a collected and joint effort.

There is a massive gap — known as the digital divide — between those in the world with access to technology, data and relevant skill sets and those without it. This is true even in the United States. According to the most recent report from the FCC, 34 million people lack access to broadband networks.

It is important for both businesses and communities to share and make sense of open data about their environment to work together toward a solution.

Use smart design to create products that consume less energy and less waste.

Many experts have predicted that the increase in data-enabled products will inevitably lead to greater energy demand and even the creation of more e-waste. In fact, according to a recent study, 44.7 million metric tons of electronic waste was produced in 2016 globally, a disturbing 8% increase from 2014.

Avoiding the creation of such waste will require the developers and engineers behind IoT-connected devices and infrastructure to pay more attention to smart design. Indeed, design can help extend the lifecycles of products, reduce the amount of energy needed for a device to operate and much more.

Designing and implementing such devices and products will require companies to work with one another as well. Microsoft Azure and Grundfos, for example, recently worked together to create intelligent sensors that collect data from Grundfos’ water pumps. These sensors help predict, prevent and react to water issues, ultimately helping not only reduce water waste, but also improve disaster relief and sanitation.

Business leaders and experts have immense responsibility when it comes to helping build a more connected world. Predicting mudslides or bomb cyclones remains an extremely challenging endeavor. But IoT, data and connectivity will inevitably play a major role in driving positive business outcomes and transforming the way that the world works. If business leaders and companies align on priorities and take the proper steps, these technologies can actually protect the planet for years to come.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.


February 6, 2018  2:08 PM

IoT is revolutionizing natural disaster prediction

Vivek Mohan Profile: Vivek Mohan
Connectivity, Internet of Things, iot, IoT applications, IOT Network, LoRA, LoraWAN, Wireless

In the decade following 2005, a total of 242 natural disasters occurred in the U.S. alone. These catastrophic forces of nature caused loss of life, human suffering and destruction of property on a massive scale, yet they represent only a fraction of the natural events that have affected people around the world during this same timeframe and since.

While natural disasters are outside the control of humans, climate change notwithstanding, the internet of things is already being used to minimize the adversity resulting from natural occurrences, such as wildfires, severe weather, earthquakes, tsunamis, volcanic eruptions and other geologic processes. Thankfully, we are now entering an era where scientists and experts, deploying the latest smart technology, can mitigate for and even prevent the death and destruction caused by these distressing events.

Even as much of natural disaster news coverage focuses on the actual events themselves and the immediate effects, technology companies around the world are working on technologies to help communities predict and better prepare for these destructive phenomena. Successful natural disaster preparedness, whether for flood, tornado or hurricane, is focused on creating a disaster recovery plan that reduces the hazards to people and property while also facilitating efficient rescue and recovery efforts.

Technology is making an impact

Technologies are emerging that make it possible to better know the potential risks and anticipate them before, during and after a catastrophic event. And while there is much debate around the future of technology to advance human development through social engineering, prevention is the best protection against a disaster and, for those in areas of where escape is not possible, very well may be the difference between surviving and not surviving.

LoRa devices and wireless radio frequency technology, which brings together low-power wide-area network sensors, wireless technology and sophisticated algorithms, is one example of technology being used in this area and it is already helping experts to better predict earthquakes and volcanoes. Across the spectrum of IoT technologies, there are teams applying devices and networks to mitigate impacts of future natural disasters and help deploy early warning systems. Disaster prediction is more than studying weather patterns, for example.

Effective prediction involves identifying hazard areas and potential triage zones on maps, facilitating communication through platforms, which don’t depend on cellular networks or landlines, and even synchronization of patient data and medical records to ensure proper care in the event of a natural disaster. Sensors and meters, propelled by LoRa technology, are being used to provide early warning systems for earthquakes and volcanic eruptions.

Naturally, there are limitations to our ability to predict natural disasters, with network infrastructure and connectivity issues, financial constraints and communication remaining as some of the major hurdles yet to be overcome.

Unfortunately, many natural disasters also occur in underdeveloped regions of the world, where network deployments are not yet fully developed. Even in the U.S., a lapse in connectivity for a network that transmits data from weather reference points can prevent an early warning alarm being sent to alert the community. Communication is often overlooked as a limitation in this area. Effectively communicating risk and expressing the severity of an event can make all the difference in saving lives. An efficient, low-cost IoT network can ensure communications stay online.

Developing sensors with greater sensitivity and greater data capabilities and deploying them quickly and cost effectively, can also help with disaster prediction efforts. Creating IoT networks of weather base stations in the Caribbean, for instance, can serve as early warning systems for hurricanes and tropical storms. Consequently, the ability to analyze years of historical data on weather patterns and previous natural disasters can help identify timing and severity of future weather events and mobilize local authorities.

LoRa is helping save lives

LoRa technology is a long-range, low-power wireless chipset for use in all types of IoT applications. It uses end-to-end AES128 encryption, geolocation without GPS, and the relay of data via LoRaWAN networks. Used in sensors and end nodes for IoT applications to collect and relay data, it communicates bi-directionally using the LoRaWAN protocol.

A typical flow of data starts with the sensor or end node collecting information from its particular application. The data is then transmitted to the nearest LoRa-enabled gateway, which is connected to a LoRaWAN network, and then transmits the data to a cloud server. After transmitting the data, the information is sent to the end user via a mobile or desktop app.

LoRa-enabled devices have a range up to 30 miles with ongoing efforts to extend that upper limit. Devices running on LoRa have range benefits in dense urban areas in which other technologies cannot penetrate buildings at a certain depth. The devices record location, speed and direction, allowing for tracking of moving objects, such as rescue teams and equipment.

LoRa was designed with affordability and quick deployments in mind. It can cost a company as little as $20 per month to maintain network connectivity for a fleet of hundreds of vehicles. The per-unit cost is low and the low-bandwidth demand keeps the data costs low as well.

The LoRaWAN network protocol allows LoRa-enabled devices to communicate. The devices can gather the data, but if they can’t transmit that data then it’s of no use to the end user. LoRaWAN connects LoRa-based devices to a smartphone, tablet or desktop. The specifications for LoRaWAN, maintained by the LoRa Alliance, allow for global interoperability among LoRa sensors, gateways and end nodes. Standardization is crucial in the world of IoT, and LoRaWAN enables the adoption of Semtech’s LoRa technology on a global scale.

The future of natural disaster prediction

The recent introduction of the LoRa tag, a disposable, ultra-thin and low-cost tag that can be integrated into disposable systems or attached to assets to communicate the trigger of a specific event, portends crucial advances in the abilities of IoT for natural disaster preparedness and prediction. The LoRa tag is equipped with a printed battery and is designed to be integrated into products or systems that send messages to the cloud when a simple event is detected.

It is expected to enable the proliferation of completely new types of IoT applications, requiring real-time, reliable feedback, including logistics and shipping, healthcare and pharmaceutical applications, asset tracking applications, and general-purpose compliance applications.

Looking to the future, experts are coming up with ways of combining IoT and artificial intelligence in a bid to reduce and manage conditions of hazard, exposure and vulnerability, and prevent losses of life and property. For example, using robots, sensors or drones can help first responders and rescue victims quickly assess the situation, as well as the extent of the damage caused to come up with a suitable action plan to assist people, making rescue efforts less time-consuming, safer and properly coordinated.

Natural disaster preparedness is a continuous process, and natural hazards need not become catastrophes with the assistance of technology to support the general public and the government with protective measures.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.


February 6, 2018  1:16 PM

Lessons from IoT Evolution Expo

Rick Harlow Profile: Rick Harlow
Agriculture, Internet of Things, iot, IoT applications, Service providers, Sustainability, Water

Earlier this year, I had the opportunity to be involved in a panel discussion at the IoT Evolution Expo in Orlando, Fla. The focus of the panel discussion was around how IoT is driving sustainability. It was interesting to see and discuss the two different talk tracts around this topic. On one side, there was the topic of how the industrial internet of things is driving sustainability in farming, agriculture, irrigation and water supply, for example, and on the other side there was the topic of how IIoT is helping companies across multiple industries to become more sustainable in volatile global markets.

Innovation with new sensor technologies, like groundwater hydration sensors or the use of drones to be able to specifically see exactly what areas of crops are getting properly irrigated, are definitely at the top of the list of IIoT driving sustainability in these areas. We have moved far beyond the concept of the “connected cow.” On the other side, the discussions were tremendous about how brick-and-mortar companies have been able to drive new revenue streams by way of new digital technologies and services they can provide to their customers.

For example, there was a use case where a 140-year-old company that had traditionally built farming equipment was able to initiate a digital offering in the agriculture market to provide tracking of all types of mobile farming equipment, including things like mobile eyewash stations, balers, planters and so forth. This new revenue steam was able to save the company from going out of business — and even enabled it to hire more staff.

These stories reminded me of a something that Einstein once said: “Learn from yesterday. Live for today. Hope for tomorrow. The important thing is to not stop questioning.”

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.


February 6, 2018  12:23 PM

A method to the madness: How to think about security and privacy for IoT

Ted Harrington Profile: Ted Harrington
Compliance, Data-collection, Hackers, Internet of Things, iot, IoT data, iot security, privacy, risk, Risk management, Security

As we enter a new year — a year in which IoT is expected to continue its explosive adoption trend — it is important to continue to be mindful of the basic tenets of how to build and deploy connected devices in ways that deliver robust considerations of both security and privacy. It is also important to keep in mind that these are distinct concepts, even though they are often conflated: Privacy is the decision about who can or cannot access data, while security is the integrity of decisions about access being carried out effectively.

Here are some practical and implementable actions that both manufacturers and purchasers of connected devices can follow in an effort to deploy resilient systems. It is imperative, however, to keep in mind that the security architecture around your device will be very much dependent on your use case, and those unique aspects should heavily influence all decision-making you do around both security and privacy.

Security: Ways of thinking

The most effective security model around any given device or architecture will be very much dependent on use case. In that vein, below are some methods for how to approach security, rather than a prescriptive framework. As an outcome of the below domains, both buyers and vendors should thereby be best suited to deploy an IoT strategy that successfully accounts for security; this article defines such organizations as effective security organizations.

1. Think strategically
First and foremost, effective security organizations understand that to be effective requires strategy. Strategy then informs the tactical execution. To best pursue this mindset, effective organization should consider a collection of concepts that support the ability to think strategically about security.

a. Adopt a security mission
Effective security starts with making it a priority. While this sounds simple in concept, it is often very difficult in practice. Historically, the most successful security organizations are defined by executive buy-in to a well-articulated, well-defined, well-communicated security mission. Effective security organizations define the purpose behind why security matters to them, what they do to pursue those objectives and how they pursue the mission.

Contrary to conventional wisdom, effective security is not achieved via solely a collection of products, or through satisfying only the basics of some sort of compliance framework. Rather, security is a combination of people, process and products, all strategically resourced and deployed in the context of a security mission.

To be effective in this domain, organizations should:

  • Define why security matters to the unique needs and conditions of the organization,
  • Obtain executive buy-in about the security mission, and
  • Develop and execute a communication plan to ensure that the highest levels, lowest levels, and all levels in between have a common understanding of the security mission.

b. Be your security champion
Effective security is essentially an exercise in advocacy. Security is often hard to see, touch or feel; it is most often felt as a void, for example, when a breach results from a lack of effective security. In that vein, effective security organizations define at least one person — and in the best cases, many people — to serve as the champion for security in the organization. This individual or team advocates for the security mission, ensuring that it gets integrated into all aspects of decision making across the organization.

To be effective in this domain, organizations should:

  • Empower a person or group to advocate for the security mission,
  • Ensure that the champion has adequate support, executive visibility and influence to drive meaningful impact, and
  • Has security as their top priority, which does not compete with other conflicting priorities.

c. Define risk
Risk is the combination of likelihood — which includes both attacker motivation as well as ease of success — and impact in the event of an adverse outcome. Risk is something that should be defined, measured and mitigated, with an acceptance that it will never be eliminated. Once organizations can accurately understand their risk, they can then make business decisions about how to allocate resources to reduce it.

To be effective in this domain, organizations should:

  • Define attacker motivation, as it would be relevant to their organization,
  • Define ease of attack success, as it would be relevant to their organization,
  • Define impact to business in the event of a successful attack, as it would pertain to their organization,
  • Determine how to measure and reevaluate all of the above continually over time, and
  • Define a mitigation strategy to acknowledge acceptable risk and reduce unacceptable risk.

d. Allocate appropriate resources
Like marketing, sales, human resources, accounting and legal, security is a core business discipline. Accordingly, appropriate cost-benefit tradeoffs should be considered when allocating resources towards pursuit of organizational effectiveness in this domain. Ineffective security organizations see security as a cost to be minimized and attempt to survive by doing just the bare minimum, while effective security organizations recognize that it requires investment of manpower and financial resources to obtain effectiveness. It should be noted, however, that there is a condition of diminishing returns, after which point additional investments in security won’t deliver correspondingly higher returns on effectiveness. Appropriate resource allocation is the critical aspiration to pursue.

To be effective in this domain, organizations should:

  • Define what success looks like to the unique situation of the organization,
  • Quantify the manpower and financial investments it would require to arrive at success, and
  • Make informed, business-case tradeoffs about what to allocate and what to cut, in pursuit of the desired success outcomes as related to security effectiveness.

e. Plan for future
Technology evolves, market conditions change and attackers innovate. As such, effective organizations consider security in a future context, by thinking about how to adapt the security posture over time. IoT introduces particularly notable future state conditions, as many IoT technologies are not designed to be supported or updated by the vendor, but rather by the buyer. In either model (vendor-supported or buyer-supported), effective security organizations understand that bugs will be discovered, security vulnerabilities will be published and attackers will evolve. Thus, effective security organizations make it easy to ingest bug or vulnerability disclosures, and have a plan and mechanism for updates.

To be effective in this domain, organizations should:

  • Plan for how to remedy security issues unknown today but that could be relevant in the years to come,
  • Implement an easy to use update mechanism across all deployed systems, and
  • Empower users and security researchers with an easy communication channel to disclose security flaws, which are received by a human at the vendor who can triage and address.

2. Adopt an adversarial perspective
To defend against the attacker, you must think like the attacker. Effective security organizations recognize this truism and attempt to apply it in a handful of ways.

a. Understand your threat model
No system is ever going to be completely resilient against every attacker and every attack. However, by focusing on the adversaries that an organization is most concerned with, in the context of the assets the organization wishes to protect and the attack surfaces against which an adversary launches malicious campaigns, organizations can design and deploy security programs that are more effective against the most concerning type of threats. Threat modeling is an exercise through which effective security organizations go in order to define assets, adversaries and attack surfaces in the pursuit of optimizing the defense paradigm.

To be effective in this domain, organizations should:

  • Define the assets to protect,
  • Define the adversaries to defend against,
  • Define the attack surfaces, against which abuse and misuse cases can be deployed,
  • Communicate the threat model across all internal and external stakeholders, and
  • Update the threat model frequently.

b. Understand your trust model
An inverse to the threat model, a trust model is an exercise through which an organization defines who it trusts, why it trusts that person and how trust is provisioned and validated. All organizations must be able to trust certain internal and external parties in order to execute on the business and functional needs; the trust model empowers the organization to do so while adequately understanding and mitigating risk that is associated with allocating such trust.

To be effective in this domain, organizations should:

  • Define who you trust,
  • Define why you trust that person, and
  • Outline a process for provisioning trust, including how to ascertain authentication, authorization and access control, while also considering privilege revocation.

c. Understand how modern adversaries operate
Most modern organizations adopt security models defined by the premise of keeping attackers on the outside of rigid perimeter defenses. However, the concept of a defined perimeter is outdated, and modern adversaries typically do not attack perimeter defenses directly. Instead, modern adversaries typically attempt to exploit trust and access in the supply chain, through stepping-stone attacks. This is a notoriously effective attack model in an IoT context, which typically tends to be overly permissive with trust, which in turn unwittingly enables such attack vectors. Effective security organizations understand this attack model and implement defense mechanisms accordingly.

To be effective in this domain, organizations should:

  • Consider stepping stone attack methodologies,
  • Review integrations for potential harm in event of successful exploitation of third-party trust and/or access, and
  • Perform effective security assessments.

d. Perform security assessments best aligned with your goals
It goes without saying that most or all organizations should pursue security assessments to investigate for security flaws, which should then be remediated. Implied with this concept, however, is that organizations must also best understand what they want to accomplish with a security assessment and why that is important. For some organizations, a commodity-level, low-intensity, automated penetration test will be sufficient to satisfy their security needs. For others, more thorough approaches, such as manual white box security assessments, will be more appropriate. Effective organizations understand the distinction and apply appropriate methodologies accordingly.

To be effective in this domain, organizations should:

  • Define objectives for security assessment, in accordance with their defined threat model and trust model;
  • Understand that different methodologies are best suited for different objectives and their correlating outcomes;
  • Vet partners for security pedigree, including contributions to security research, talks and technical capabilities; and
  • Invest appropriate financial and manpower resources.

e. Understand the role of compliance
Most organizations are likely to face some element of a compliance framework somewhere across their own organizational needs or the needs of their customers. Depending on the framework, compliance typically does an adequate job of establishing the baseline requirements for the foundation of a security program. However, compliance should not be seen as the entire security program unto itself. Effective security organizations recognize the role of compliance as being important to satisfying stakeholder needs, but will go beyond the outlined minimum if delivering a robust security posture is important.

To be effective in this domain, organizations should:

  • Identify which compliance frameworks are important to the organization and why;
  • Define what a successful outcome of the security model looks like; and
  • Define the delta between compliance and the desired outcome, and mobilize accordingly.

Privacy: Ways of thinking

Merriam Webster Dictionary defines privacy as “freedom from intrusion,” yet in a modern context, the application of the term has really come to be more about the decision by individuals about who has access to their data — a concept around which regulators and activists are rallying around. To best protect both end users and the companies that accumulate their data, privacy should be considered from the outset, so as to best integrate well-reasoned decisions about privacy into all subsequent business decisions. Here are a handful of strategies for how to think about privacy in an IoT context:

1. Consider privacy a leadership issue
As with any domain across the business, what the executive leadership prioritizes is what flourishes. From the standpoint of the marketplace, the industry and, in many cases, regulators, a well-designed approach to privacy is an expectation for leaders to deliver. Well-defined privacy policies are core to an organization making strategic business decisions that protect customers and do not unnecessarily expose the company to risk.

To be effective in this domain, organizations should:

  • Engage senior management in developing a privacy approach,
  • Create a plan for how to design and implement privacy,
  • Establish a way to measure success,
  • Educate and continually train your employees, and
  • Institute oversight of privacy policy.

2. Consider data collection
Organizations benefit from various types of data that can be collected from their customers and users, including by discovering emerging trends, better serving the customer and uncovering new revenue streams. However, with such collection of data comes some risk of regulatory issues in some cases and brand damage issues in other cases. As such, organizations should think carefully about the kinds of data they want to collect and why they want to collect that data, and make informed decisions about the value of collecting the data versus the potential reputational and financial impacts of violating privacy later as a result of possession of that data.

To be effective in this domain, organizations should:

  • Clearly inform the individuals about the purpose for which data will be collected, used or disclosed and obtain their consent in writing;
  • Provide choice. The best model is to require individuals to opt-in to be granted access to their data, but at least offer them the ability to opt-out;
  • If you collect personal data from third parties, ensure the third party has obtained consent from the individuals to disclose it for your intended purpose; and
  • Identify what kind of and how much personal information your organization handles.

3. Consider data usage
Once an organization possesses data, the organization now must consider how it will use that data and how it will safeguard the data. To ensure the latter, organizations should consider the many elements introduced previously in this analysis pertaining to security. To ensure the former, organizations should have a well-defined approach to data usage that considers how to best achieve the desired outcome of obtaining and using the data in consideration of the potential risks that such data usage introduce.

To be effective in this domain, organizations should:

  • Ensure that the purposes for which you obtained consent to collect personal data must indeed be the only ones for which that data is used;
  • Ensure that any changes in the disclosure and use of the personal data collected should receive a new and separate consent in writing; and
  • From legal, regulatory and common sense industry perception standpoints, understand your organization’s obligations and risks as it pertains to how you intend to use data collected; and
  • Ensure that there is a formal procedure in place to handle requests for access to personal data, including their purpose, an evaluation of their data security measures, storage locations, access rights (individuals and other companies) and disposal mechanisms.

Call to action

IoT is often considered to be such an innovative and disruptive technology migration that many consider it to be something completely new, like nothing ever seen before. In some ways, that is true — at least from an innovation perspective. But from a security perspective, and from a privacy perspective, the challenges that IoT vendors and buyers face are the same that have afflicted the many technology migrations that have preceded IoT. Hopefully by considering some of the approaches outlined in this article, buyers and vendors can best address these challenges to ensure that IoT is adopted in a manner that effectively integrates attack resiliency and privacy protections.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.


February 2, 2018  1:13 PM

The role retailers should play in driving IoT security certification standards

Greg Martin Profile: Greg Martin
Consumer IoT, Enterprise IoT, Internet of Things, iot, IoT devices, iot security, nist, retail, retailers

IoT devices have fundamentally changed the way both businesses and consumers function. Personal fitness trackers, digital cameras, home-grade Wi-Fi routers and drones have all weaseled their way into our daily lives, and enthusiasm for the technology shows no signs of slowing down. In fact, Gartner estimates that more than 20 billion IoT devices will be deployed by 2020, and IDC predicts that global IoT spending could hit nearly $1.4 trillion by 2021.

One of the biggest risks to IoT is that there are currently no security standards for the hundreds of new IoT devices that flood the market each year. For e-commerce, we rely on SSL to consistently secure our devices. For computers and other devices in the enterprise, communication between machines and with servers is protected via decades of standards from NIST to ISO 27001. IoT devices, however, are largely left unsecured, with most products being produced in China with little regulation. Worse, end users are often completely unaware of all the sensors IoT devices include and the ramifications they may have for privacy, such as a smart lightbulb that also records video and audio by default, for example.

Overcoming IoT security hurdles

There are a few reasons why IoT security leaves so much to be desired. Since IoT devices tend to be on the smaller side, e.g,. thermostats or watches, it can be difficult for them to handle complex software patches and updates, especially compared to more powerful computers or servers. IoT devices are also usually built with proprietary hardware and customer software, making it even more challenging to manage IoT devices, push updates and effectively enforce access control. Another major issue plaguing IoT security is the collective rush of manufacturers to deliver new IoT products ahead of their competitors. As a result, most manufacturers end up favoring ease of setup/use over adequate security.

To prioritize comprehensive IoT device security and better protect both businesses and consumers from IoT devices that are often unknowingly brought into workplaces and homes, retailers must begin to feel a sense of responsibility to protect consumers. In particular, leading retail organizations like Best Buy and Amazon need to set a precedent of evaluating IoT device security before selling these products on the U.S. market. Implementing a retail-driven security certification of approval would go a long way in protecting end users, and even better, it would incentivize IoT device manufacturers to improve their product security.

IoT-based DDoS attacks require action

With malware like Mirai and Reaper exploiting vulnerabilities in IoT devices and crippling entities that depend on internet services, retailers need to act now. In fact, the National Institute of Standards and Technology (NIST) Department of Commerce just issued a call for vendors to provide product and technical expertise to support and demonstrate security platforms for mitigating IoT-based distributed denial-of-service attacks. Although open to any organization, it behooves retailers to participate and collaborate with technology companies to address the challenges identified by NIST. The project plans to produce a NIST Cybersecurity Practice Guide, so retailers also have an opportunity to help draft tactical tips that could help consumers and businesses mitigate IoT-based automated distributed threats that prey on connected devices and networks.

If retailers continue to turn a blind eye to IoT device security, all of us stand to suffer. Businesses will lose millions in revenue, not to mention hard-won customer trust, and consumer privacy will remain in jeopardy. Retailers must establish a security certification of approval for IoT devices and work to address potential vulnerabilities before any trouble can rise. Perhaps most importantly, retailers need to form close alliances with manufacturers and work together to make IoT devices as secure as possible throughout the entire product lifecycle.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.


February 1, 2018  3:05 PM

A big looming risk for IoT is privacy

Jose Nazario Profile: Jose Nazario
ethics, Internet of Things, iot, IoT data, iot security

The security risks of the internet of things are well documented and ever growing. We’ve seen Mirai and other botnet attacks shut down sites around the web using the fire power of millions of co-opted webcams and other devices. There have been remote attacks and controlled hacks that have shut down heating in buildings during the winter, disabled a car and taken control of traffic lights. Those are scary, but they aren’t the only concerns with IoT that we have. In coming years, we’ll see another big threat arise from IoT: privacy issues that will affect all of us. And they will have significant moral and ethical implications.

For example, this past year saw reports of the police being called to a Texas home over a violent domestic altercation caught by an Amazon Alexa, wherein a man was possibly about to harm a woman and her child. The situation, although harrowing and fortunately a tragedy averted, raised some interesting ethical questions. Early in 2018, it was revealed that this wasn’t an isolated case — Amazon hands over a lot of data to the police, but doesn’t identify if any of it comes its voice assistants Echo and Alexa. This domestic and personal use of digital assistant data for law enforcement raises interesting areas of privacy law — after all, these are in your home or personal space wherein you have an established precedent for privacy. I expect lawyers to push back on some of these cases under these guidelines.

But IoT isn’t just in your home, it’s all over our cities, as well. Some cities already have “shot spotter” technologies, where an array of microphones can be used to triangulate the sound of gunshots. Recent smart city deployments plan to extend this sensor network with additional types of sensors. The city of San Diego, California, is working with industry to wire the city with over 3,000 sensors on streetlights. These sensors ostensibly will help conserve power, improve health and safety, and even provide conveniences like identifying open parking spaces.

However, the privacy risks to individuals are often underestimated. These risks include spying and stalking, and burglars identifying when residents leave a house they want to break into. Smart city cybersecurity risks include hijacking and abuse of devices and networks, akin to the Mirai and Reaper botnets, theft of services such as parking or public transit, or open proxy abuse like we see with standard PCs. The internet at large is likely to pay the price from spam and cybercrime, as well as city taxpayers who will have to pay for continual cybersecurity cleanup of these devices, and possible early replacements.

What’s more, this privacy risk enters into a thorny legal area which is ripe for debate. The smart city exists in public spaces, meaning our expectation of privacy is greatly reduced. Already a judge in Florida has ruled that a brake recording device in a car was using public data because brake lights are visible, which set a precedent with regard to privacy expectations in the age of ubiquitous recording and data collection.

For IoT, emerging questions, which I expect will be debated in the next few years, include: Who derives the benefits from this aggregate data, private companies or local governments and their constituents? What harm is done to individuals who have their data mixed with others’ without any concern for remaining identifiable information? What duty does the government have to protect that privacy and minimize harm? Lawyers and privacy advocates have asked these questions and more, but we’re only at the very beginning of this important conversation, which has real impacts on our lives.

American privacy law, heavily influenced by the publication of a Harvard Law Review article in 1890 by Samuel Warren and Louis Brandeis, was further updated by tort expert William L. Prosser in a 1960 California Law Review article. He argued that privacy laws should ensure individuals are protected against intrusion into their solitude, protected from embarrassment or unwanted publicity, and protected against the appropriation of their likeness against their will. These scholars helped inform legislation that we take for granted in American society. However, these privacy laws were written in an era where an individual or even a news organization had to expend great effort to collect information on an individual. Today data on millions of people can be collected in seconds. These laws will certainly be tested in the coming years in the age of smart cities and IoT, where we have a mixture of mass data collection, security control gaps and conflated ownership between governments and private companies.

The law is not created out of thin air; most often it draws off precedent, principle and existing laws. While there is a growing mismatch between current law and technology, I don’t expect a new set of privacy laws to emerge. Instead, the collision between IoT and privacy will coalesce in the courtrooms and result from incremental extensions of existing legal frameworks.

In recent years, especially with the advent of big data and social media, the lack of consideration for ethics in technology has come into focus. With the rise of ever-widening IoT measurements and smart cities, the risk due to ethical gaps grows. These risks include immediate dangers to citizens and property (including critical infrastructure!) due to lax cybersecurity protections, harm to long-term safety of individuals and society from the theft of aggregated data, and more. If you’re a technologist in this space, make friends with ethicists and legal scholars who have studied this rich body of work, and recognize the coming catastrophe. By working across disciplines — including technologists, city planners, ethicists and legal experts, privacy experts, vendors and citizen panels — we can avert this crisis and realize the promise of smart cities. But this work must be done in all phases, including concept formulation, design, development, implementation and operation. Without it, we expose everyone to undue risks and a stripping away of American privacy in our communities. Pay attention to the European project VirtUE, which seeks to evaluate these ethics questions in IoT, and include that as part of your maturation.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.


February 1, 2018  1:55 PM

Wearables: The next wave of enterprise IoT?

Josh Garrett Profile: Josh Garrett
Boeing, customer, Data, Data-security, Efficiency, FBI, Internet of Things, iot, IoT data, iot security, IT, manufacturer, relationship, Security, Software, Wearable devices, Wearables, Workflow

As the internet of things evolves and grows more advanced, global organizations are increasingly turning to wearable devices for real-time data feedback and a competitive edge over their peers. By 2020, there could be as many as 600 million wearable devices connected to the internet (not to mention a more than four-fold increase in North America alone).

Unfortunately, few are truly prepared for the challenges that come with managing and securing these on-the-go IoT technologies. Let’s take a closer look as to why.

What’s the deal with wearables, anyway?

While Apple’s smartwatches have become the titan that dominates today’s wearable device market, businesses are implementing dozens of intelligent, on-the-go machines to learn more about employees and the everyday workplace than ever before. By successfully deploying wearable technology, never-before-seen insights and information can be uncovered as IoT sensor data is correlated to actual human behavior. Simply put, wearables make enterprise IoT mobile and equip employees with real-time data — whenever and wherever they need it most.

Things like times, durations and the proximity of one device or employee to another, when combined with demographic data, can shed light on previously unidentified workflow inefficiencies. If managed well, wearable devices can even help businesses find new markets and audiences, recruit talent and motivate their employees in fresh, exciting ways.

When integrated into a robust IoT management system, however, wearables unlock their true enterprise potential: the collection of an entirely new type of people-generated data. Soon, cutting-edge corporations will understand things they never could before about workers and customers alike; what they do every day, how healthy they are, where they go and even how well they feel.

Using this unprecedented level of visibility, businesses will be able to deliver messaging and services tailored to a specific person, location, activity and/or mood. For example, recruiters could use these insights to more accurately identify dissatisfied workers, while employers could use similar data to implement policy changes that improve worker satisfaction. These devices will also help reveal previously indiscernible data patterns and trends, enhancing customer relationships and satisfaction as a result.

The velocity with which IoT environments collect and communicate data is almost unbelievable. The sensors on a single Boeing aircraft, for example, can generate up to 20 terabytes of data every hour. As wearables increase the value of IoT systems and real-time data feedback, what do companies need to do to keep their traditional IT architectures from being exposed or overwhelmed?

Security shortcomings

It’s no secret that modern global enterprises need machine-generated data to power today’s real-time business processes. The problem with wearable device security is that many manufacturers never intended for them to become high-powered business tools; instead, these devices were designed to be competitively priced goods for the consumer market.

Unfortunately, that means many current workplace wearables lack the processing power and connectivity required to ensure private, secure enterprise data. Even software patches and updates for these devices can get tricky — legacy IT infrastructure typically approaches these technologies with a pieced-together solution that makes it difficult to upgrade software components individually.

Then there’s device manufacturer data collection, usage and ownership to consider … When IoT program managers and administrators dive into these manufacturers’ privacy policies, they’re often surprised to learn that the data stored on these devices isn’t owned by their employer, but by the wearable device maker(s) instead.

There’s also seldom enough attention paid to safeguarding wearable device data against future manufacturer policy changes. Unless specifically addressed, a wearables manufacturer could change data ownership or reporting conditions down the road, leaving even the most secure or compliant company’s data exposed to hackers and external threats.

Don’t take my word for it …

IoT data security is becoming a serious threat to today’s digital business landscape. According to the FBI, once an IoT device is compromised, cybercriminals can use it to attack other systems or networks, send spam emails, steal personal data, create hazardous work conditions or participate in distributed denial-of-service attacks.

Here are eight IoT/wearables safety tips, courtesy of the FBI:

  1. Change default usernames and passwords on device
  2. Isolate IoT devices onto their own protected network(s)
  3. Configure network firewalls to prevent traffic from unauthorized IP addresses
  4. Implement device manufacturer’s security recommendations and, if appropriate, turn off devices when not in use
  5. Use reputable information sources that specialize in cybersecurity analysis when reviewing and purchasing IoT devices
  6. Ensure device security patches are up to date
  7. Apply cybersecurity best practices when connecting devices to a wireless network
  8. Use a secure router with appropriate security and authentication practices

Moving forward, businesses will need to rely on entirely new systems and technologies to protect IoT data. As wearables skyrocket in popularity, it’s important for enterprise mobility efforts to do their homework and consider each potential solution’s security capabilities before procurement, not after the fact.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.


February 1, 2018  12:13 PM

Growth of open source adoption increases number of security vulnerabilities

Tae Jin Kang Profile: Tae Jin Kang
Internet of Things, iot, iot security, Open source, Open source security, Software vulnerabilities

The 2017 Equifax breach served as a major PSA of the growing size and scope of security vulnerabilities in open source — software components and applications. Despite many of them being “known,” these security flaws pose a potentially debilitating risk to enterprise security.

Due to its incredible value as an engine of innovation, open source has become an irreversible trend. More than 90% of all software either contains open source components or is comprised completely of open source. It exists in operating systems, productivity software, and administration and development tools — and in code libraries that companies and third-party software vendors use to build their software. Today, it would be a challenge to find commercial or off-the-shelf software without open source components.

Open source in IoT

The continuously expanding IoT space is no exception to the widespread open source integration. In fact, Embedded Linux is the number one IoT operating system. Linux and adjacent open source components are used in operating systems, network platforms, applications and IoT firmware. This trend will only continue to grow because by using open source, developers in this segment and beyond can lower assembly costs and quickly add innovations — saving months or years of originally required development time.

Software vulnerabilities

Whether software code is proprietary or open source, it harbors security vulnerabilities. Supporters of open source argue that the accessibility and transparency of the code allow the “good guys” — corporate quality assurance teams, white hat hackers and open source project groups — to find bugs faster.

On the other hand, critics contend that more attackers than defenders examine the code, resulting in a net effect of higher incidents of vulnerability exploits. Whichever the case, the open source community is very good at addressing vulnerability issues. Once security risks are discovered, the community will quickly catalogue and provide patches for these vulnerabilities.

Growth of number and scope of open source software vulnerabilities

Despite its already staggering adoption rate, more open source code is being developed and shared than ever before. The Linux Foundation estimates that more than 31 billion lines of code have been committed to open source repositories. But accompanying this increase in the number of developed and shared lines of code is the increase in the number of reported vulnerabilities.

Three ways vulnerabilities are expanding dynamically

The number of vulnerabilities reported is on the rise. More code development inherently means more inadvertently created security vulnerabilities. The U.S. government has been tracking this issue as well, through its sponsorship of the Common Vulnerability and Exposure (CVE) list and the National Vulnerability Database (NVD). In 2017, the CVE list reported more than 8,000 newly added vulnerabilities. This was a new record.

Further complicating matters is the fact that good open source code can be used in many different ways — across a spectrum of different kinds of applications. However, when a “good” piece of open source code contains a security flaw, the potentially large number of platforms and software applications that have integrated the code become vulnerable to hacking.

Compounding this issue is the likelihood that known security vulnerabilities will hide in the code. Consequently, users are unaware that within their code rest security threats awaiting hacker attacks. So, how are these known vulnerabilities able to hide in and pervade applications, platforms and devices that use open source?

While updated versions of open source components are available without security vulnerabilities, in-house software development teams and third-party developers will be hard-pressed to effectively track all open source software components in their internally developed and externally sourced code.

These challenges are partly due to the software development and procurement model, whereby development teams often receive third-party software in binary format.

Understand your code

Development, security and software provisioning teams can use binary code scanners that utilize code fingerprinting. These tools extract “fingerprints” from a binary to be examined and then compare them to the fingerprints collected from open source components hosted in well-known, open source repositories. Once a component and its version are identified through this fingerprint matching, development and security teams can easily find known security vulnerabilities associated with the component from vulnerability databases, like the NVD.

Make the time to address the vulnerabilities

As engineering teams develop new versions of software, they are alerted to potential security vulnerabilities that need to be patched. Unfortunately, the software development industry has demonstrated a tendency to give vulnerability patching a very low priority. This lack of urgency may push patches to a later software version, with very infrequent real-time patch administration. This model results in known security vulnerabilities going unpatched for significant periods of time, further exacerbating a company’s vulnerability.

Open source adoption has and will continue to generate amazing innovations. However, the growing number of security vulnerabilities in the code could impede its rate of adoption and innovation. Software developers, distributors and users can neutralize the threats posed by these vulnerabilities by understanding their code, finding the flaws and proactively taking the steps to address them.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: