Building a Modern IoT Security Stack: From Source to Firmware

Don’t just scan your source—secure your full IoT stack. Learn how to build a modern, layered security strategy from code to firmware and beyond.

Larry Pesce

VP of Services

June 2, 2025

The TL;DR of the First Three Posts

We’ve talked about a lot:

Now let’s turn all that into action—a roadmap for doing IoT security the right way.

What Modern IoT Security Actually Looks Like

Security for embedded and IoT devices isn’t about slapping a scanner onto your codebase and calling it a day. It’s about building visibility and validation into every layer of the development lifecycle.

Here’s what that stack should include:

1. Source Code Analysis (SAST)

Catch issues early
Annotate libraries and internal components
Flag unsafe logic before it compiles

2. Binary + Firmware Analysis

Inspect the actual output, not just the intention
Discover hidden third-party code, static libs, and hardcoded secrets
Analyze stripped binaries, even without debug symbols

3. SBOM Generation + Validation

Automatically generate SBOMs from builds
Validate SBOMs with binary analysis (trust but verify)
Include versioning, license, and reachability info (as a bonus)

4. Threat Intelligence + CVE Mapping

Constantly refresh vulnerability intelligence
Correlate it with real firmware content
Focus on exploitable paths, not just known flaws

5. Continuous Integration

Make all of this part of CI/CD
Scan everything at every build
Don’t wait for pen tests or compliance audits to find issues

Shift Left. Shift Right. See Everything.

"Shifting left" means catching issues earlier in the dev cycle, which is great, but in IoT, you also need to shift right, to the final compiled artifacts.

That means scanning:

Source code (left)
Compiled binaries (right)
Everything in between

What You’ll Get from Doing This Right

Real Risk Visibility: Know what’s exploitable, not just what exists
Faster Remediation: Fix vulnerabilities where they happen—in source, configs, or binaries
Better Compliance Posture: CRA, FCC, FDA, NIST—pick your acronym. They all want proof.
More Secure Products: Ship firmware that you can stand behind

Final Word

This isn’t just about checking a box. It’s about building trust. In your code. In your supply chain. In your ability to respond fast when threats emerge.

Modern IoT security isn’t one tool. It’s a layered strategy. Start where you are. Expand your visibility. And never, ever settle for scanning the surface.

Larry Pesce

VP of Services

Larry Pesce is VP of Services at Finite State, where he leads product security research and vulnerability assessments across IoT, OT, and healthcare devices. With over 20 years of experience, he’s also a longtime SANS instructor and co-host of Paul’s Security Weekly, known for advancing vulnerability management practices industry-wide.

What Modern IoT Security Actually Looks Like

Here’s what that stack should include:

1. Source Code Analysis (SAST)

Catch issues early

Annotate libraries and internal components

Flag unsafe logic before it compiles

2. Binary + Firmware Analysis

Inspect the actual output, not just the intention

Discover hidden third-party code, static libs, and hardcoded secrets

Analyze stripped binaries, even without debug symbols

3. SBOM Generation + Validation

Automatically generate SBOMs from builds

Validate SBOMs with binary analysis (trust but verify)

Include versioning, license, and reachability info (as a bonus)

4. Threat Intelligence + CVE Mapping

Constantly refresh vulnerability intelligence

Correlate it with real firmware content

Focus on exploitable paths, not just known flaws

5. Continuous Integration

Make all of this part of CI/CD

Scan everything at every build

Don’t wait for pen tests or compliance audits to find issues

What You’ll Get from Doing This Right

Real Risk Visibility: Know what’s exploitable, not just what exists

Faster Remediation: Fix vulnerabilities where they happen—in source, configs, or binaries

Better Compliance Posture: CRA, FCC, FDA, NIST—pick your acronym. They all want proof.

More Secure Products: Ship firmware that you can stand behind

Final Word

This isn’t just about checking a box. It’s about building trust. In your code. In your supply chain. In your ability to respond fast when threats emerge.

Modern IoT security isn’t one tool. It’s a layered strategy. Start where you are. Expand your visibility. And never, ever settle for scanning the surface.

Building a Modern IoT Security Stack: From Source to Firmware

The TL;DR of the First Three Posts

What Modern IoT Security Actually Looks Like

1. Source Code Analysis (SAST)

2. Binary + Firmware Analysis

3. SBOM Generation + Validation

4. Threat Intelligence + CVE Mapping

5. Continuous Integration

Shift Left. Shift Right. See Everything.

What You’ll Get from Doing This Right

Final Word

Larry Pesce

Ready to Level Up Your Security Knowledge?

Building a Modern IoT Security Stack: From Source to Firmware

The TL;DR of the First Three Posts

What Modern IoT Security Actually Looks Like

1. Source Code Analysis (SAST)

2. Binary + Firmware Analysis

3. SBOM Generation + Validation

4. Threat Intelligence + CVE Mapping

5. Continuous Integration

Shift Left. Shift Right. See Everything.

What You’ll Get from Doing This Right

Final Word

Larry Pesce

Ready to Level Up Your Security Knowledge?