IBM Security today announced the launch of two new security testing practice areas focused on automotive security and the IoT. In other words, these are services provided to companies looking to launch connected cars and smart devices.
“Over the past year, we’ve seen security testing further emerge as a key component in clients’ security programs,” said Charles Henderson, Global Head of IBM X-Force Red, the team of researchers that will deliver these products.
“Finding issues in your products and services upfront is a far better investment than the expense of letting cybercriminals find and exploit vulnerabilities.”
In particular, IBM is focused on assisting customers with testing back-end processes, apps and physical hardware used to control access and management of smart systems. The company says that its own research shows that 58 percent of organizations testing their IoT applications only during the production phase, and that the potential for introducing vulnerabilities into existing systems remains unacceptably high.
Bolstering support in automotive
To tackle these problems in the automotive industry, which is introducing more vehicles with internet connectivity, IBM X-Force Red has set up a dedicated practice. The team has so far collaborated with more than a dozen automotive manufacturers and third party suppliers, and aims to “help to shape and share industry best practices and standardize security protocols”.
Earlier this year, IBM released information regarding some of the security pitfalls surrounding connected cars, notably what happens during the transfer of ownership, which, if not handled securely, could create an opportunity for a malicious takeover of the functions of the vehicle.
The IBM X-Force Red team is tasked with identifying and eliminating risks for customers, by performing security testing of the components within a connected vehicle and doing solution-based security testing for the complete system of the vehicle.
Security by design for IoT
From an IoT standpoint, IBM says that demand and shortened production cycles often lead to rushed or non-existent security testing for these new products and services. This is particularly true of smart home products, according to market analysts at ABI Research, and is evidenced by some of the recent IoT hacking stories, such as the Spiral Toys teddy bear.
The point is that, in a rush to break into the market, too many companies are not adopting a security by design approach to IoT. IBM X-Force Red claims that it is changing this perception by advocating programmatic and on-demand security testing throughout the entire lifecycle of the product.
The company is also ensuring that its new security testing offerings will be automatically delivered alongside Watson IoT Platform to assist customers through both the development and deployment of their products, all of which can be viewed through The Red Portal.
Launched in February of this year, the portal is a cloud-based collaboration platform for clients and security professionals to get an end-to-end view of their security testing programs. IBM customers can use it to view their project in real-time and communicate with the X-Force Red team if problems arise.
Further announcements to come
At this week’s Black Hat security conference in Las Vegas, the X-Force Red team is supposedly set to also unveil the newest weapon in their arsenal: Cracken. This is a dedicated password-cracking cluster used by X-Force Red during penetration tests and security assessments, which the team will use to demo the importance of password length and complexity.
This article will be updated once further details are available.