Cybersecurity concerns about Internet of Things (IoT) devices and infrastructure are growing each year. In response, organizations worldwide have published IoT cybersecurity guidelines to protect their citizens and customers. These guidelines constrain the development of IoT systems, which include substantial software components both on-device and in the Cloud. While these guidelines are being widely adopted, e.g. by US federal contractors, their content and merits have not been critically examined. Two notable gaps are: (1) We do not know how these guidelines differ by the topics and details of their recommendations; and (2) We do not know how effective they are at mitigating real-world IoT failures.
In this paper, we address these questions through a qualitative study of IoT cybersecurity guidelines. We collected 142 IoT cybersecurity guidelines, sampling them for recommendations until saturation was reached at 25 guidelines. From the resulting 958 unique recommendations, we iteratively developed a hierarchical taxonomy following grounded theory coding principles. We measured the guidelines’ usefulness by asking novice engineers about the actionability of each recommendation, and by matching cybersecurity recommendations to the root causes of failures (CVEs and news stories). We report that: (1) Each guideline has gaps in its topic coverage and comprehensiveness; (2) 87.2% recommendations are actionable and 38.7% recommendations can prevent specific threats; and (3) although the union of the guidelines mitigates all 17 of the failures from our news stories corpus, 21% of the CVEs evade the guidelines. In summary, we report shortcomings in each guideline’s depth and breadth, but as a whole they address major security issues. Our results will help software engineers determine which and how many guidelines to study as they implement IoT systems and help publishers improve their guidelines.
Fri 19 JulDisplayed time zone: Brasilia, Distrito Federal, Brazil change
14:00 - 15:30 | |||
14:00 18mTalk | PPM: Automated Generation of Diverse Programming Problems for Benchmarking Code Generation Models Research Papers Simin Chen University of Texas at Dallas, XiaoNing Feng Taiyuan University of Technology, Xiaohong Han Taiyuan University of Technology, Cong Liu University of California, Riverside, Wei Yang University of Texas at Dallas | ||
14:18 18mTalk | Demystifying Invariant Effectiveness for Securing Smart Contracts Research Papers Zhiyang Chen University of Toronto, Ye Liu Nanyang Technological University, Sidi Mohamed Beillahi University of Toronto, Yi Li Nanyang Technological University, Fan Long University of Toronto Link to publication Pre-print Media Attached | ||
14:36 18mTalk | Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We? Research Papers Kaixuan Li East China Normal University, Yue Xue Metatrust Labs, Sen Chen Tianjin University, Han Liu East China Normal University, Kairan Sun Nanyang Technological University, Ming Hu Singapore Management University, Haijun Wang Xi'an Jiaotong University, Yang Liu Nanyang Technological University, Yixiang Chen East China Normal University Pre-print | ||
14:54 18mTalk | On the Contents and Utility of IoT Cybersecurity Guidelines Research Papers Jesse Chen University of Arizona, Dharun Anandayuvaraj Purdue University, James C. Davis Purdue University, Sazzadur Rahaman University of Arizona DOI Pre-print | ||
15:12 18mTalk | CVECenter: Industry Practice of Automated Vulnerability Management for Linux Distribution Community Industry Papers Jing Luo Central South University, Heyuan Shi Central South University, Yongchao Zhang Alibaba, Runzhe Wang Alibaba Group, Yuheng Shen Tsinghua University, Yuao Chen Alibaba, Rongkai Liu Central South University, Xiaohai Shi Alibaba Group, Chao Hu Central South University, Yu Jiang Tsinghua University | ||