By the end of this decade, IoT could unlock more than $12 trillion in value worldwide, according to a 2021 McKinsey research report. B2B applications represent some 65% of this value – but as IoT becomes more critical, it has also grown more risky. Today, customers are asking vendors to prove the state of their products’ security, and deals are on the line. A recent survey by the Ponemon Institute found that nearly 3 in 5 companies have lost sales over product security concerns (like an inability to create SBOMs or prove secure development processes).

While manufacturers have looked to DevOps processes and other solutions to tackle the problem, these solutions haven’t been scalable. It’s slowing down development and product launch. The market needs a scalable solution that effectively and efficiently scans connected devices for vulnerabilities—and one that can be deployed quickly.  

Nearly two of every three executives surveyed by PwC admit that their understanding of these IoT risks is “limited” or worse. After the Log4Shell vulnerability was publicly disclosed on December 9, for example, NIST assigned it a severity rating of 10, its highest possible score. This zero-day vulnerability quickly garnered media attention as it became clear that this simple-to-execute vulnerability would affect some hundreds of millions of IoT devices worldwide. But will your traditional SCA tool be able to check the composition of those devices? The answer is: usually not. 

How SCA tools help find vulnerabilities

In its 2021 Market Guide for Software Composition Analysis, Gartner looks at the Software Composition Analysis (SCA) market. Developers and, increasingly, other stakeholders in the software development process rely on SCA tools to determine what’s in their applications. SCA tools typically produce a Software Bill of Materials, an SBOM. SBOMs generally show an inventory of components that make up your application. 

With that SBOM, SCA users then look for legal and operational risks that those components create. Think licensing concerns or vulnerabilities. But most SCA and AppSec tools lack a major feature: they don’t usually work on connected and embedded devices. 

This hole in their functionality creates an attacker’s paradise: loose physical security on devices with long patch/update cycles and highly exploitable vulnerabilities.

Where other SCA tools falter, Finite State steps in as a complement to your SCA strategy.

Finite State and Connected Device Security

You’ve seen the traditional SCA vendors in the report from Gartner. What sets Finite State apart from these solutions? We analyze finished binaries – giving you the best of SCA and SAST, plus information on zero day vulnerabilities and configuration issues that could give attackers a back door into your devices. We’re also capable of analyzing a wide range of embedded and connected devices, unlike traditional SCA.

With the Finite State Platform, you can find out instantly if (and where) you face vulnerabilities in your embedded devices, then remediate them fast with expert guidance. Finite State gives device manufacturers a deep view into all device hardware and software components – even if you have no access to the source code. 

AppSecVsFiniteState-chart-03

Say goodbye to “black boxes” – and hello to security you can prove to customers and stakeholders.

Contact us today at https://finitestate.io/contact/. We can quickly analyze your binaries and help you take the next step toward scaling and automating product security. 

Free-Firmware-SBOM