We recently came across an article on the 7 challenges of IoT software development – here’s our engineering team’s thoughts and quick responses:
While more than 80% of embedded devices are running Linux, there are growing contenders in the marketplace. Windows 10 IoT has a growing following, and strong integration into the Azure ecosystem. Sometimes, a traditional operating system is not always a requirement: JavaME.
Docker’s recent partnership with ARM may also start to reach onto edge devices, bringing their agnostic approach to the wider device ecosystem.
When choosing gateways for your IoT solution, always ensure that you have chosen gateways with strong software offerings and support: SDK’s, API access, documentation. Many gateways do not come off the shelf ready to work, and you should ensure space to grow as your requirements evolve. Gateways with security enabled by default gives a strong advantage. Remote access to your gateways is crucial – a common pain point for our partner GSI’s is requiring direct access – the man in a van is expensive and slow at IoT scale.
IoT Platforms should be evaluated on their usability, scalability and ongoing support.
Identifying a system that is well documented with a good user interface, especially around billing – slips of the mouse can cause surprises if wrong instance sizes etc are selected!
You should ensure that the pricing of a platform scales well with your estimated load.
Support for authentication and token based access systems as well as integration with authentication systems such as AD, SSO, SAS tokens, multiple CA, multiple HSM connectivity gives greater flexibility to interact with multiple systems.
Platforms should be capable of communicating over multiple protocols: HTTP, HTTPS, MQTT, WebSockets etc. The tools ideally should be installable on cloud and on-prem, and as managed service.
Traditional security models do not scale when applied to IoT. Platforms must be decentralised to allow automation of passwords and certificate handling.
Secure update delivery and validation of those updates is critical. Using code signing techniques makes it harder for an attacker to inject their own code to this update cycle. With policy-based encryption and delivery of certificates, it can be validating that devices don’t run unsigned code, simply revoking a certificate could prevent a device from running any malicious software.
Automated vulnerability scanning for software dependencies along with regular penetration testing helps to uncover blind spots. Engaging the entire community with a public bug bounty and disclosure policy helps to ensure that responsible disclosure of vulnerabilities is maintained.
Clean code practices with strong test coverage help developers ensure that software is running as intended and reduce the risk of oversights.
Policy-driven communication: giving a device specific roles and permissions helps to limit the attack space available to a compromised device.
Developers for IoT platforms should avoid using low level constructs such as raw pointers and arrays as they are prone to buffer overflows. There’s an advantage to using C++ over C for embedded API’s to build these layers of security that protect against a diverse range of threats
Device Authority’s Enterprise Security Blueprint helps to lay out these layers and build in security across a device lifecycle.
Platforms should ensure that regular updates are applied automatically, with secure delivery of updates. Authentication on demand systems give a regular cadence of devices checking in and ensuring that systems are maintained.
Additionally, strong documentation and accessible support systems allow users to get timely support for what is becoming critical infrastructure. It should be ensured that breaches and leaks are addressed within a reasonable timeframe
Many IoT platforms are developer made, developer focused and require significant training to extract value from. Simple IoT platforms make it easy for users to perform common tasks, while preventing security and configuration mistakes that are easy to overlook with an interface that hides information.
SDKs available for developers help to provide best practices to a developer. Sample applications allow leading by example, but care should be taken that sample code may not be fully production ready as its purpose is to educate and inform.
Cross-compilation of agent code to different devices is enabled by using a standard toolchain (C or C++) such as a GNU toolchain allows code to be deployed across many different architectures.
Choosing libraries that are open source and available for cross compilation makes this task much simpler.
For backend systems try and stick to server based systems such as Java and node.js that can run in multiple ecosystems.
Containerisation of applications using Docker allows for deployment of applications into multiple hosting providers, whether that is on bare metal servers, VM’s or fully managed cloud systems with high availability systems.
As the IoT ecosystem grows within the world, performance, security and architecture considerations become increasingly important. IoT platforms have a disruptive model, with user-less devices released into the public domain at a scale that has never been seen before. As developers we have the responsibility to make informed decisions that will impact the world.
