What is product security? Why does it matter to an increasing number of organizations? These are questions we addressed in our original post, What is Product Security?, in March 2022. But, in the two years since, how has product security changed? How has it evolved as organizations across many sectors have invested considerable resources to build awareness around product security and stand up programs?
In 2021, a Ponemon Institute report revealed that over 40% of surveyed IT security professionals considered product security a priority. This sentiment was echoed in their detailed findings:
- 41% reported product security as an organizational focus,
- 50% assessed it before product shipment, and
- 59% acknowledged losing sales due to security concerns.
These numbers underscored the growing importance of product security in the corporate world at the time.
Fast forward to 2024, and the landscape of product security has evolved significantly. Today, product security is viewed as encompassing an entire ecosystem of software and hardware products. This larger context, called software supply chain security, has evolved into its own area of concern. 77% of CISOs believe to be a more significant blind spot for AppSec than generative AI or open source, according to one recent study.
Since 2022, the integration of product security within the development lifecycle, particularly in IoT and application security (AppSec), has become a standard practice. This shift aligns with the increasing sophistication of cyber threats and the need for robust, preemptive measures.
How has product security changed since 2022?
A lot can happen in just two years. Since we last answered this question for our readership in 2022, we've noted the following changes in product security as a discipline:
- Increased Threat Landscape: The complexity and frequency of cyber-attacks have increased, prompting more robust and advanced security measures.
- Greater Emphasis on Supply Chain Security: The rise in supply chain attacks has led to more stringent security practices and scrutiny of every component in the product’s supply chain.
- Advancement in AI and Machine Learning: The use of AI for security purposes has advanced significantly, providing more accurate and faster threat detection and response.
- Expanded Regulatory Landscape: There's been an expansion in global cybersecurity regulations and standards, mandating more rigorous compliance.
- Shift in Consumer Awareness: Consumers have become more aware and demanding regarding the security and privacy of the products they use, influencing how companies approach product security.
- Integration of Security in IoT and Connected Devices: As IoT devices proliferate, there's been a significant focus on securing these devices against potential vulnerabilities.
Product Security in 2024
Product security in 2024 is more dynamic, data-driven, and integrated into the broader business and product strategy than it was in 2022, reflecting the rapid evolution of technology and cyber threats.
- Holistic Approach: Product security now involves a holistic view, considering not just the product itself but its entire ecosystem, including supply chain, third-party components, and user data handling.
- Automation and AI Integration: There's a greater reliance on automation and artificial intelligence to detect threats and vulnerabilities, analyze risks, and even suggest or implement real-time countermeasures.
- Software Bill of Materials (SBOM): SBOMs have become a standard practice, providing transparency into software components, their origins, and dependencies, thereby aiding in vulnerability management.
- DevSecOps Integration: Security is integrated into every stage of the product development lifecycle, with DevSecOps becoming a standard practice for many organizations.
- Regulatory Compliance: Regulations and standards around product security have become more stringent and widespread, reflecting the increased awareness and importance of cybersecurity in products.
- User Privacy and Data Security: With growing concerns over data privacy, product security now heavily emphasizes protecting user data and complying with global data protection laws.
Defining Product Security
Traditionally, product security was about ensuring that devices and software were secure before reaching customers. This meant considering security aspects right from the design and development stages, rather than as an afterthought.
In 2024, this concept has expanded. Product security now includes a holistic view of the entire supply chain, leveraging automated and AI-driven tools for threat detection and management. With the continued rise in interconnected IoT devices, the focus on securing these devices has intensified, driven by the need to protect against potential vulnerabilities inherent in both software and hardware components.
Finite State & Evolving Product Security
The Finite State Next Generation Platform, specifically designed for connected devices and embedded systems, offers a comprehensive solution for modern product security challenges. In 2024, it features advanced capabilities such as extended SBOM management, aggregating data from over 150 external sources for a unified risk view, and offering actionable insights for vulnerability management. The Next Gen Platform not only assesses product security but also provides critical data and remediation guidance, significantly enhancing the security posture of connected devices and software supply chains.
What does the future of product security hold? With over 20 billion connected devices in use and this number steadily growing, the need for robust product security is more important now than ever. Finite State continues to lead the way, offering scalable and automated solutions that address the complex challenges of today’s product security landscape. As we look ahead, the integration of AI, comprehensive risk management, and regulatory compliance will remain key drivers in the ongoing evolution of product security.
