These potential weaknesses make software security just as crucial as ever. Jared DeMott, in his course this week, Application Security for Hackers and Developers, covers source code auditing, fuzzing, reverse engineering, and exploit development and the skills and tools necessary to find, fix, and exploit bugs found in software.
DeMott explains that while many professionals are focused on securing modern frameworks, scripts, and high level languages, more skills are going to be needed securing the traditional C and C++. "So kernels, and low-level operating system security is crucial for securing these devices. And in C and C++, there's a lot opportunity for developers to shoot themselves in the foot, because developers have to manually manage system resources in these languages," he says.
And it's these low level languages that run the telematics systems in your car, embedded systems for your home thermostats, smart TV, and anything else. All these devices are still written in C and C++.
The challenges associated with developing securely in these languages have been fought for nearly two decades. "You often hear people say, Well, why don't we just get rid of the C and C++ language if it's so problematic. Why don't we just write everything in C# or Java, or something that is a little safer to develop in?'," DeMott says.
What does DeMott think this means when it comes to securing the IoT and embedded devices? "It's yet to be seen, but I wouldn't be surprised at all to hear about somebody remotely takes control of a car and driving someone off a bridge," he says half joking. "A lot of people don't realize the amount of code in their cars, or in industrial control systems. We don't know for certain if we will see a bunch of attacks on these systems, but history does have a way of repeating itself in these regards," DeMott says.
Sign up for Computerworld eNewsletters.