Last Updated on December 11, 2020
If your business depends on an Internet of Things (IoT) ecosystem to acquire data or deliver services, you already know that the number and complexity of your “things” and their interconnections has a huge impact on your IoT security testing requirements. At the same time, because IoT is changing and expanding so rapidly, it can be a challenge to have full confidence in a third-party (or even in-house) testing/assessment methodology.
How can you know that your IoT environment will be comprehensively tested, and that you’ll be made aware of any/all significant vulnerabilities?
This was a key topic of discussion on a recent episode of The Virtual CISO Podcast with two IoT thought leaders from the Cloud Security Alliance (CSA): John Yeoh and Aaron Guzman. “We’re getting a lot of aid from other organizations that want to participate in that, too,” adds John Yeoh. “They really see how we can take this framework, the controls here, and apply that to the ecosystem from the manufacturers to the services to the service providers. And then individuals can get certified on something like, ‘Hey, I understand IoT. I’m able to certify myself as a professional.'”
As podcast host John Verry, Pivot Point Security CISO and Managing Partner, points out, “We’re doing a ton of IoT testing right now… But this is an emerging field, and for anyone to say that they’re experts in it or they have everything figured out and do everything perfectly would be foolish at this point. I think we’re all still learning.”
Fortunately, CSA is looking to ultimately create a “CSA IoT Testing Framework accreditation”—some kind of credential to validate a tester’s capabilities and experience.
“That is absolutely part of the plan,” Aaron shares. “We do have an open certification working group, which has definitely been pushing us to try to get this in a more certification kind of roadmap, and that is our plan. This pandemic put some brakes on some of the mental capacity, but it’s definitely part of the roadmap for sure.”
CSA’s ultimate goal is to have a formal IoT attestation scheme and also a certification program for testers—as the industry needs and is asking for both.
John Verry relates: “I think that would be awesome because right now there are a lot of people out chasing a lot of business to do this testing, and I almost feel bad for the people who are hiring people like us because there is no way to know whether or not someone’s qualified to do this. They can have an OSCP. They can have a CWE. They can have a CEH… but this is a different beast…”
“You could argue that you need to know the [OWASP] Mobile Application Security Verification Standard,” John Verry continues. “You could argue that you need to know about application security in the cloud. You need the API security, and device testing is an absolutely unique field, right?”
There’s no question that a certification program for IoT testers from a trusted source like CSA would benefit not only organizations looking for reliable testers, but also professionals looking to differentiate themselves based on skills and experience.
If your business is using or planning to get into the IoT, be sure to catch this podcast with Aaron Guzman and John Yeoh.
To hear the complete show, as well as peruse our diverse selection of cybersecurity podcasts, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
“We’re getting a lot of aid from other organizations that want to participate in that, too,” adds John Yeoh. “They really see how we can take this framework, the controls here, and apply that to the ecosystem from the manufacturers to the services to the service providers. And then individuals can get certified on something like, ‘Hey, I understand IoT. I’m able to certify myself as a professional.'”