Cybersecurity concerns about Internet of Things (IoT) devices and infrastructure are growing each year. In response, organizations worldwide have published IoT cybersecurity guidelines to protect their citizens and customers. These guidelines constrain the development of IoT systems, which include substantial software components both on-device and in the Cloud. While these guidelines are being widely adopted, e.g. by US federal contractors, their content and merits have not been critically examined. Two notable gaps are: (1) We do not know how these guidelines differ by the topics and details of their recommendations; and (2) We do not know how effective they are at mitigating real-world IoT failures.
In this paper, we address these questions through a qualitative study of IoT cybersecurity guidelines. We collected 142 IoT cybersecurity guidelines, sampling them for recommendations until saturation was reached at 25 guidelines. From the resulting 958 unique recommendations, we iteratively developed a hierarchical taxonomy following grounded theory coding principles. We measured the guidelines’ usefulness by asking novice engineers about the actionability of each recommendation, and by matching cybersecurity recommendations to the root causes of failures (CVEs and news stories). We report that: (1) Each guideline has gaps in its topic coverage and comprehensiveness; (2) 87.2% recommendations are actionable and 38.7% recommendations can prevent specific threats; and (3) although the union of the guidelines mitigates all 17 of the failures from our news stories corpus, 21% of the CVEs evade the guidelines. In summary, we report shortcomings in each guideline’s depth and breadth, but as a whole they address major security issues. Our results will help software engineers determine which and how many guidelines to study as they implement IoT systems and help publishers improve their guidelines.
Fri 19 JulDisplayed time zone: Brasilia, Distrito Federal, Brazil change
15:30 - 16:00 | |||
15:30 30mPoster | Predicting Failures of Autoscaling Distributed Applications Posters Giovanni Denaro University of Milano - Bicocca, Noura El Moussa USI Università della Svizzera Italiana & SIT Schaffhausen Institute of Technology, Rahim Heydarov USI Università della Svizzera Italiana, Francesco Lomio SIT Schaffhausen Institute of Technology, Mauro Pezze USI Università della Svizzera Italiana & SIT Schaffhausen Institute of Technology, Ketai Qiu USI Università della Svizzera Italiana | ||
15:30 30mPoster | On the Contents and Utility of IoT Cybersecurity Guidelines Posters Jesse Chen University of Arizona, Dharun Anandayuvaraj Purdue University, James C. Davis Purdue University, Sazzadur Rahaman University of Arizona | ||
15:30 30mPoster | Demystifying Invariant Effectiveness for Securing Smart Contracts Posters Zhiyang Chen University of Toronto, Ye Liu Nanyang Technological University, Sidi Mohamed Beillahi University of Toronto, Yi Li Nanyang Technological University, Fan Long University of Toronto | ||
15:30 30mPoster | Improving the Learning of Code Review Successive Tasks with Cross-Task Knowledge Distillation Posters | ||
15:30 30mPoster | Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We? Posters Kaixuan Li East China Normal University, Yue Xue Metatrust Labs, Sen Chen Tianjin University, Han Liu East China Normal University, Kairan Sun Nanyang Technological University, Ming Hu Singapore Management University, Haijun Wang Xi'an Jiaotong University, Yang Liu Nanyang Technological University, Yixiang Chen East China Normal University | ||
15:30 30mPoster | Predicting Code Comprehension: A Novel Approach to Align Human Gaze with Code Using Deep Neural Networks Posters Tarek Alakmeh University of Zurich, David Reich University of Potsdam, Lena Jäger University of Zurich, Thomas Fritz University of Zurich | ||
15:30 30mPoster | Decomposing Software Verification Using Distributed Summary Synthesis Posters DOI Pre-print | ||
15:30 30mPoster | EyeTrans: Merging Human and Machine Attention for Neural Code Summarization Posters Yifan Zhang Vanderbilt University, Jiliang Li Vanderbilt University, Zachary Karas Vanderbilt University, Aakash Bansal University of Notre Dame, Toby Jia-Jun Li University of Notre Dame, Collin McMillan University of Notre Dame, Kevin Leach Vanderbilt University, Yu Huang Vanderbilt University | ||
15:30 30mPoster | Mining Action Rules for Defect Reduction Planning Posters Khouloud Oueslati Polytechnique Montréal, Canada, Gabriel Laberge Polytechnique Montréal, Canada, Maxime Lamothe Polytechnique Montreal, Foutse Khomh Polytechnique Montréal | ||
15:30 30mPoster | How does Simulation-based Testing for Self-driving Cars match Human Perception? Posters Christian Birchler Zurich University of Applied Sciences & University of Bern, Tanzil Kombarabettu Mohammed University of Zurich, Pooja Rani University of Zurich, Teodora Nechita Zurich University of Applied Sciences, Timo Kehrer University of Bern, Sebastiano Panichella Zurich University of Applied Sciences | ||
15:30 30mPoster | Beyond Code Generation: An Observational Study of ChatGPT Usage in Software Engineering Practice Posters Ranim Khojah Chalmers | University of Gothenburg, Mazen Mohamad Chalmers | RISE - Research Institutes of Sweden, Philipp Leitner Chalmers | University of Gothenburg, Francisco Gomes de Oliveira Neto Chalmers | University of Gothenburg | ||
This room is conjoined with the Foyer to provide additional space for the coffee break, and hold poster presentations throughout the event.