THE INTERNET OF

THINGS IS

COMING@jkriggins #fowa

@jkriggins #fowa

WILL YOU BE

READY?

By 2020

25 billion

connected

devices

$263 billion in

revenue

10x impact the Internet itself

@jkriggins #fowa

$19 trillion by 2025!

Mike Amundsen, API Academy

@MAmund

“The IoT space is definitely ready to enter. This is a

fantastic space. The Internet of Things is going to be

faster, bigger than the Internet.”

Healthcare

Security

Money

Road Safety

Enterprise@jkriggins #fowa

Listening

Locked out

Black outs

Interoperability@jkriggins #fowa

False Data

Crime

@jkriggins #fowa

Product ideas

Customer knowledge

Market research

Industrial design

Physical design

Hardware design

Embedded architecture

Manufacturing operations

Marketing

Sales

Formula for a great

product:Know your

customer

Know how to

build stuff

Know how to

please your

customers

Hugo Fiennes, Electric Imp

@HFiennes

Formula for a great Connected

Product:Antenna design

RF engineering

RF approvals

Network-centric operating system design

Ongoing security and support

Protocol design

Network security

Server software

Scalability

Cloud operations

Device managementHugo Fiennes, Electric Imp

@HFiennes

IoT Protocols

• MQTT

• CoAP

• XMPP

• Zigbee

• Z-Wave

IoT Standards

• Wireless Power Consortium

• Industrial Internet Consortium -

ATT, GE, Cisco, Intel, and IBM

• Open Internet Consortium - Intel,

Samsung, a few others

• Open Interconnect Consortium

But wait, there’s more…

• HIPAA

• PCI

• Sarbanes-Oxley

• Cyber security standards?

• NFC

• BLE

• WiFi

• 3G

• 4G

• RF

Mike Amundsen, API Academy

@MAmund

“We’re trying to build too much intelligence into one

device. That’s why we have so many protocols.”

Who’s in charge?

@jkriggins #fowa

Richard Parker, Altitude Angel

@altitudeangel

“Very much reminiscent of dot-com boon — everyone is

rushing to compete the standards. We aren’t trying to

compete, we want to work with everybody. Integrate with us

and in addition to your drones being safer, everyone else’s

drones are safer.”

1. Security

2. Privacy

3. Connectivity

4. Interoperability

5. Battery life

6. DOES IT EVEN WORK?!!??!!!

Hierarchy of IoT Needs

Brian Knopf, BRK Security

@DoYouQA

“I wanna know with 100 percent certainty when I say

a device goes on, it goes on. When you think of the

hierarchy of needs, security is great but it doesn’t

mean anything if I can’t get it to function properly.”

APIs FTW!!!

40% value of IoT

is Interoperability

1. College Dorm

2. Mid-sized family

3. Über techie

3 Testing Areas

Guillaume Gimbert, Stardust Mobile

@guibarca

“When an application crashes, it’s dead for the users. If you

buy an application, sometimes it’s two euros, four euros, or it’s

free, so if it doesn’t work, it’s ok, you’ve wasted your time, but

when you buy an object that’s a hundred euros or more and if

you can’t connect, it’s an issue…you have to be careful about

connect-ability before putting your object on the market.”

RECALLS

Kevin Kal Kallaugher, The Economist

@kaltoons

1. Secure by default.

2. Secure by design.

3. Secure by deployment.

Security is a part of the

human experience of IoT.

Aditya Gupta, Attify

@Adi1391

““Whenever you build a particular product, you

should start thinking of the security from the very

start built into the framework. Create a threat model

from the start.”

‘Threat modeling my wife’

Brian Knopf, BRK Security

@DoYouQA

Neurostimulator

Leads

Electricity, Voltage

Mission Programmer

Software

Battery Charging Unit

Lifespan

Battery Leakage

Risk #1: Damage to neurostimulator caused by

strong electromagnetic (EMI) interference.

Mitigation #1: EMI shielding and an MRI-safe mode.

Likelihood: Highly unlikely.

Risk #3: Attacker turns stimulation on high voltage.

Mitigation #3: Remote only works when directly against

the skin. External signals don’t change this.

Likelihood: Highly unlikely.

Risk #2: Via wireless signal, someone could change

stimulation profile, causing the user to be in pain, which in

turn needs more medication and potentially overdose.

Mitigation #2: Remote only works when directly against the

skin. External signals don’t change this.

Likelihood: Highly unlikely.

Risk #4: Overheating of skin during charging causes burns.

Mitigation: Neurostimulator monitors skin temperature and

its own device temperature. Stops if unit or skin overheats

Likelihood: Highly unlikely.

Risk #5: Riskiest, based on damaging leads with high radio

frequency causing scarring, electrocution, shock or death.

Mitigation: New devices have much thicker leads

dispersing RF across whole length of lead.

Likelihood: Highly unlikely.

Why only threat model?

1. $30,000.

2. Could he buy one?

3. NEVER PEN TEST YOUR WIFE

What network/s is it accessing?

What data are they getting?

Just keep questioning

@jkriggins #fowa

Andy Thurai, IBM

@AndyThurai

“You need to be careful in your thought process, always

question when you say ‘This system needs to connect

to this system. Why? What’s the purpose?”

OAuth Promise:

Platform + Developer + End User

With great power comes…

IoT pulls QA to the Left.

Aditya Gupta, Attify

@Adi1391

“It’s a better role for the developer to have the security

mechanism in place before the testers actually test it.”

Dogfooding the Internet of

Things*

*20-year-old boys shouldn’t test for menopausal women

devices. @jkriggins #fowa

Diwakar Menon, Last Mile Consultants

@diwakarmenon

“Look beyond just a pure usability perspective and

start peeling off the layers of the onion. They will

cause tears to your eyes, but there’s a need to learn

usability testing.”

Stacey Mulcahy, Microsoft

@bitchwhocodes

“Understanding how these devices work, setting them

up in the fragility and unpredictability of an

environment—the environments they are deployed in

aren’t necessarily in their own home.”

Of the people

For the people

By the people

@jkriggins #fowa

Kin Lane, API Evangelist

@kinlane

To investigate IoT, “is something anyone can do, I

don’t think you have to be a network specialist or

developer. Research the tools out there—Proxy,

Sniffer—find interface devices out on the network.”

Citizen activist: noun. A domain expert or

developer that doesn’t have an investment in a

platform.

Citizen activist: noun. Anyone passionate about a

sector and ready to ask questions.

@jkriggins #fowa

Paul Bruce, SmartBear Software

@paulsbruce

“In order to really benefit from open standards, you

need to contribute to them—provide feedback. It’s

our responsibility to do what we can… Think about

how the devices are going to be used and misused.”

Kin Lane, API Evangelist

@kinlane

When you are testing, “publish your strategy and

plan and share it with others so they know that it’s

executed and so they can emulate it.”

Who will be the winners?

@jkriggins #fowa

@jkriggins #fowa

Richard Parker, Altitude Angel

@altitudeangel

“When I’m looking to hire, I’m not looking for traditional software

developers, I’m looking for people who are imaginative and play, build

stuff at home,” like radio-controlled cars and aircraft. “Folks who are

inspired by technology. I don’t want a career developer at Altitude

Angel. I want them for their engineering skills but in this domain, in

the IoT world, we’re blending the real world with the software world.”

Stacey Mulcahy, Microsoft

@bitchwhocodes

“Pick a project that kind of leans on your software

skills and finish your project, as simple as it is, and

try to have all the pieces of some kind of inputs or

outputs, capturing that data.”

Makers FTW!!!

Stacey Mulcahy, Microsoft

@bitchwhocodes

Learn in two phases:

1. Getting really comfortable with your thing—how to work with it

and write stuff for it.

2. Figure out how to store data, put it in the cloud—the opportunity

is analysis and ability to predict behavior on the data.

Stacey Mulcahy, Microsoft

@bitchwhocodes

“The beauty right now for software is that there’s so

many options and I think you’re better off to leverage

what you feel like you know.”

• Arduino

• Raspberry Pi

• Spark Photon

• Java

• C++

• Linux

• Python

Diwakar Menon, Last Mile Consultants

@diwakarmenon

“Get familiar with that environment, the devices, the

protocols, the gateways, the platforms. They need to

understand:

• how devices communicate

• how aggregation happens

• what kind of protocols are

used

• how is that data stored

Michael Kruk, Crowsnest

@crowsnestio

“Totally network your ass off.

I think you need to have an idea or hypothesis. Don’t build anything,

interview everything. ‘I think I can build a program that solves

Problem X for Person Y.’

Ask them, ‘What is your biggest problem in this industry?’ and hope

they say X. Then after you have about a 100 people confirming your

hypothesis, then you can go and write some code.”

Create your own IoT biz

Guillaume Gimbert, Stardust Mobile

@guibarca

“To learn how to work with different people with different

backgrounds because, in the end, developing a software is

quite easy. When we are talking about IoT, you also have to

take account of design, of manufacturing. It’s software plus

objects so it’s extremely difficult manufacturing lab classes -

makers lab — to mix software and objects.”

Brian Knopf, BRK Security

@DoYouQA

“You have to love to learn. You can never really be

complacent in QA. You’re always going to be

constantly learning the technology and how to do

things.”

Michael Bolton, Rapid Software Testing

@MichaelBolton

“I think there will always be a role for investigators,

journalists, critics…Software will increasingly be checked

through tools, through automation. What can never be

automated is the investigation of social fit. Does this

product fit into society? Is it good enough? Does it fulfill

our intentions? Are there undiscovered intentions?”

Jennifer Riggins, eBranding.Ninja

@jkriggins

linkedin.com/in/jkriggins

“Be the first to fiddle, to write about it, to talk about

it. Just be the first and the rest will all fall into place.”