压在透明的玻璃上c-国产精品国产一级A片精品免费-国产精品视频网-成人黄网站18秘 免费看|www.tcsft.com

云安全聯(lián)盟 (CSA) 公布了一份物聯(lián)網(wǎng)安全指南，《 Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products》，旨在幫助物聯(lián)網(wǎng)相關(guān)的產(chǎn)品和服務的設計師和開發(fā)人員，了解整個開發(fā)過程必須納入的基本安全措施。

報告中提到：

物聯(lián)網(wǎng)推動了消費、 商業(yè)、工業(yè)生產(chǎn)過程和實踐的轉(zhuǎn)變。在2015 年，市場中出現(xiàn)了許多類型的物聯(lián)網(wǎng)產(chǎn)品，我們進行了一些真實的研究，結(jié)果表明對物聯(lián)網(wǎng)安全的擔憂是真實存在的。基于這些研究，我們了解到物聯(lián)網(wǎng)產(chǎn)品的安全（并非只是做好自身的安全），而存在更高層次的需求，這些需求包括：

• 需要保護消費者隱私并限制PII及PHI信息的擴散
• 需要保護商業(yè)數(shù)據(jù)并限制敏感信息泄露
• 需要防止物聯(lián)網(wǎng)產(chǎn)品被用于DDoS攻擊
• 需要提防這些產(chǎn)品的折中安全方案所帶來的損失和傷害

CSA物聯(lián)網(wǎng)安全指南 的主要內(nèi)容

1. 探討物聯(lián)網(wǎng)設備的安全挑戰(zhàn)
2. CSA物聯(lián)網(wǎng)工作組進行的一份調(diào)查報告分析
3. 探討物聯(lián)網(wǎng)部署平臺的安全問題
4. 物聯(lián)網(wǎng)設備的分類及趨勢
5. 安全設備的建議及部署流程
6. 給安全工程師一份檢查表單，便于遵從于部署流程
7. 一套物聯(lián)網(wǎng)產(chǎn)品案例及其所面臨的威脅

這里將指南的目錄主要內(nèi)容摘錄如下

1.The Need for IoT Security

• IoT Products Can Compromise Privacy
• IoT products can lend their computing power to launch DDoS Attacks
• Medical Devices and Medical Standard Protocols are Vulnerable to Attack
• Drones Are Approaching Mainstream Status and Being Used as a Platform
• for Reconnaissance
• Critical national infrastructure can rely on the IoT ecosystem
• Cars are becoming connected and autonomous
• Moving Forward

2.Why Development Organizations Should Care About Securing IoT Products

• IoT Device Security Challenges
• IoT products may be deployed in insecure or physically exposed environments
• Security is new to many manufacturers and there is limited security
• planning in development methodologies
• Security is not a business driver and there is limited security sponsorship
• and management support in development of IoT products
• There is a lack of defined standards and reference architecture for secure IoT development
• There are difficulties recruiting and retaining requisite skills for IoT
• development teams including architects, secure software engineers, hardware security
• engineers, and security testing staff
• The low price point increases the potential adversary pool
• Resource constraints in embedded systems limit security options

3.IoT Security Survey

Guidance for Secure IoT Development

• 1. Start with a Secure Development Methodology
• Security Requirements
• Security Processes
• Perform Safety Impact Assessment
• Perform Threat Modeling
• 2. Implement a Secure Development and Integration Environment
• Evaluate Programming Languages
• OWASP Python Security Project Link
• Integrated Development Environments
• Continuous Integration Plugins
• Testing and Code Quality Processes
• 3. Identify Framework and Platform Security Features
• Selecting an Integration Framework
• Evaluate Platform Security Features
• 4. Establish Privacy Protections
• Design IoT devices, services and systems to collect only the minimum amount
• of data necessary
• Analyze device use cases to support compliance mandates as necessary
• Design opt-in requirements for IoT device, service and system features
• Implement Technical Privacy Protections
• Privacy-enhanced Discovery Features | Rotating Certificates
• 5. Design in Hardware-based Security Controls
• The MicroController (MCU)
• Trusted Platform Modules
• Use of Memory Protection Units (MPUs)
• Incorporate Physically Unclonable Functions
• Use of specialized security chips / coprocessors
• Use of cryptographic modules
• Device Physical Protections
• Tamper Protections
• Guard the Supply Chain
• Self-Tests
• Secure Physical Interfaces
• 6. Protect Data
• Security Considerations for Selecting IoT Communication Protocols
• 7. Secure Associated Applications and Services
• 8. Protect Logical Interfaces / APIs
• Implement Certificate Pinning Support
• 9. Provide a Secure Update Capability
• 10. Implement Authentication, Authorization and Access Control Features
• Using Certificates for Authentication
• Consider Biometrics for Authentication
• Consider Certificate-Less Authenticated Encryption (CLAE)
• OAuth 2.0
• User Managed Access (UMA)
• 12. Establish a Secure Key Management Capability
• Design Secure Bootstrap Functions
• 12. Provide Logging Mechanisms
• 13. Perform Security Reviews (Internal and External)