Once upon a time, in what’s now a bygone era, computers were computers, cars were cars and toasters were toasters. In today’s increasingly connected and sensor-enabled world, however, a new car can contain over 3,000 silicon semiconductor chips — since computing power is essential to controlling everything from in-car navigation systems to transmissions. Modern refrigerators feature touchscreen interfaces and WiFi connectivity-enabled features; some can even synch with your smart dishwasher or smart microwave. A plethora of other consumer-oriented products now enable people to interact with them via their smartphone or tablet, even when they’re away from home.
In short, the line between “product” and “technology product” has become ineluctably blurred. Ever-growing numbers of manufacturers are incorporating sensors into product designs or adding digital connectivity into formerly analog devices. This means that increasing numbers of companies — many without backgrounds in software engineering — are now developing applications. How can they ensure that the products they’re building are secure against modern cyber threats?
Enterprise security vs. product security
It’s a fact of life for today’s businesses: organizations that want to bolster their resilience against cybersecurity risks will need to build a robust internal cybersecurity program or seek help from a managed detection and response (MDR) provider or other external expert team. In and of itself, maturing an enterprise security program is a complicated endeavor. In addition, companies that create, develop and sell technology products should also consider what they’re doing to build out cybersecurity for their products.
Product security entails a distinct set of concerns that are different from what the Chief Information Security Officer (CISO) is responsible for. While an enterprise security program aims to protect corporate computing systems from external attackers and ensure the confidentiality of intellectual property and sensitive customer data, a product security team’s goal is to protect the application connectivity, web services and computing infrastructure that’s associated with their product, to figure out how they’d handle the incident if one of these systems were compromised, and to manage software vulnerabilities within the product itself.
In general, product security teams are tasked with:
- Incident response: If a customer (or security researcher) discovers a vulnerability in the product, how will you handle it?
- Investigating complaints: If customers report that a product or its associated application is unreliable, does this mean it’s vulnerable to attack?
- Vulnerability management: What will you do if software inside the product you sell needs patching?
- Strengthening product security during all design phases: Does your development team leverage secure coding practices? What types of software testing do you do? How early? How often?
Enterprise and product security teams are wholly different organizations with different goals, requirements and motivations. Depending on the type of product involved, it’s likely that regulatory oversight will differ as well. Of course, the company wants to be able to build and sell products profitably, but it also needs to ensure that it meets compliance standards that were designed to protect the public. Reducing litigation risk is increasingly important, too.
Industries leading the way in product security
Organizations have wildly varying degrees of maturity when it comes to the cybersecurity of their products. Some, motivated by pressures from investors, clients, auditors or regulators, are highly mature when it comes to building cyber safe products. Others are less aware of the potential issues and risks, perhaps because they don’t understand the problem’s relevance, or perhaps because they believe that security is a barrier to product development (hint: done the right way, it doesn’t have to be).
Perhaps the best example of an industry where mature product security processes are likely to be in place is the medical device industry. Having long faced strong regulatory oversight from the U.S. Food and Drug Administration (FDA), medical device manufacturers build systems like pacemakers and insulin pumps that are critical for keeping their wearers alive. When you’re building life-supporting systems that often have Bluetooth or app connectivity, and you’re always under the sharp eye of regulators, your incentives for maintaining robust product security are strong.
Makers of industrial control systems (ICS), including the Supervisory Control and Data Acquisition (SCADA) systems and Programmable Logic Controllers (PLCs) that operate in critical infrastructure facilities, also have reasons to be motivated to strengthen the security of their products. After all, these hardware and software systems control the operations of nuclear power plants, the electrical grid, wastewater treatment plants, dams, communication networks and other essential public infrastructure components that are needed to keep the public healthy and safe. In recent years, as threat actors have demonstrated the capability to compromise electrical power distribution systems in countries like the Ukraine, these industries have come under increasing scrutiny.
Children’s toy manufacturers have strong incentives to secure their products as well, since both regulators and the media tend to react strongly to reports of the misuse of children’s data.
Best practices for building a robust product security program
One thing that’s similar for enterprise security and product security is that building out a mature program isn’t something you can accomplish overnight. Instead, we recommend that you take a step-by-step approach to strengthening your capabilities.
#1: Start with a self-assessment: Where do you think you’re at when it comes to product security maturity? Do you feel that your team is handling it well? Is there some room for improvement? Or are you unsure, or even uncomfortable?
#2: Analyze your incentives: If you’re producing a product, who does it serve? Which regulatory authorities govern your industry? What consumer protection groups are active in the sector? Are there any penalties you’d face for not having a secure product? How competitive is the market for your product?
#3: If you’re uncomfortable, and you don’t have a program, start one today. It’s not about making your product’s security perfect on Day One, but instead, it’s about getting engaged in the process of ongoing improvement. There’s no one right way to do this. You might start with hiring an external expert to perform penetration testing on your product. Or you might begin by implementing secure coding practices. You could also start to include security testing throughout the product development process. This might be hardware testing, software testing or integration testing – the goal is simply to become more proactive and to fix more things.
The first few times that you try to perform security testing on your product, or implement secure coding practices within the development cycle, it’s likely that there will be bumps along the way. This could cause product delays or challenge your team to broaden their skills. However, as your processes mature, they’ll get faster and overcoming barriers will become more routine.
In recent years, with the growth of the DevSecOps philosophy, it’s become possible for development teams to both shorten release cycles and improve product security. By incorporating modern, agile ways of working and automated tool chains, it’s easier to make rapid changes to your product. This means that it’ll be faster to fix a vulnerability soon after it’s found and incorporate security testing into the development lifecycle earlier and more often.
Here at BTB Security, we offer threat assessment and penetration testing services that can help our clients understand their strengths and weaknesses when it comes to product security. Want to learn more? Schedule a free, no-obligation consultation with a member of our expert team today.