Transparent Security Method for Automating IoT Security Assessments
Kaksonen, Rauli; Halunen, Kimmo; Laakso, Marko; Röning, Juha (2023-11-08)
Springer Spektrum
08.11.2023
Kaksonen, R., Halunen, K., Laakso, M., Röning, J. (2023). Transparent Security Method for Automating IoT Security Assessments. In: Meng, W., Yan, Z., Piuri, V. (eds) Information Security Practice and Experience. ISPEC 2023. Lecture Notes in Computer Science, vol 14341. Springer, Singapore. https://doi.org/10.1007/978-981-99-7032-2_9
https://rightsstatements.org/vocab/InC/1.0/
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
https://rightsstatements.org/vocab/InC/1.0/
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
https://rightsstatements.org/vocab/InC/1.0/
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:oulu-202312013460
https://urn.fi/URN:NBN:fi:oulu-202312013460
Tiivistelmä
Abstract
People and businesses are dependent on the security of the Internet of Things (IoT). Vendor-independent security assessment and certification intends to provide an objective view of the security of an IoT product. Unfortunately, the assessment is often done for a single version and configuration of the product and usually does not yield data to reproduce the assessment. We present the Transparent Security Method, in which product security is described by a machine-readable security statement. A security statement can be verified using tools for automated assessment, which can be repeated for different product versions and configurations to cover the product life-cycle. As a case study, we create an entry-level security statement for a real IoT product and do the verification using common security tools. In the study, 12 out of 15 security claims are verified fully or partially by automation. A security statement can be used in certification or labeling to speed up security assessment, especially in re-certification. Tool-based verification discourages inflated security claims, as they can be scrutinized. Eventually, this should drive product security improvements, as products without security statements are less attractive.
People and businesses are dependent on the security of the Internet of Things (IoT). Vendor-independent security assessment and certification intends to provide an objective view of the security of an IoT product. Unfortunately, the assessment is often done for a single version and configuration of the product and usually does not yield data to reproduce the assessment. We present the Transparent Security Method, in which product security is described by a machine-readable security statement. A security statement can be verified using tools for automated assessment, which can be repeated for different product versions and configurations to cover the product life-cycle. As a case study, we create an entry-level security statement for a real IoT product and do the verification using common security tools. In the study, 12 out of 15 security claims are verified fully or partially by automation. A security statement can be used in certification or labeling to speed up security assessment, especially in re-certification. Tool-based verification discourages inflated security claims, as they can be scrutinized. Eventually, this should drive product security improvements, as products without security statements are less attractive.
Kokoelmat
- Avoin saatavuus [37864]