Podcast

Mind of a Hacker, Role of a Defender, with Larry Pesce

3 min read

Dec 6, 2022 4:19:20 PM

How can an early interest in taking things apart lead to a career in penetration testing, connected device security, and, eventually, to Finite State?

How does OT product security compare to consumer IoT product security?

How do we make room for basic security fundamentals that prevent or mitigate vulnerabilities? And how do we make sure we remember to check for critical flaws before we seal the box on these devices?

On this episode of the IoT: The Internet of Threats podcast, we met with Larry Pesce, Finite State's new Product Security and Analysis Director and co-host of the long-running Paul's Security Weekly podcast, to:

explore the origins of Larry's long and accomplished career as a pen tester and security and research expert
examine the pressure that lower production budgets impose on product security professionals
the questionable value of regulation as a catalyst to drive product security investment and improvements
the potential role SBOMs can play in cybersecurity.

Check out the discussion on this latest episode of IoT: The Internet of Threats podcast.

In this episode, Eric and Larry discuss:

What it was like to pioneer the Paul's Security Weekly podcast in the early days of podcasting (and co-hosting the show for the last 17 years!)
How Larry's early interest in taking things apart led to a career in embedded device security and, eventually, to Finite State
How the drive to lower production costs pressures manufacturers to sacrifice invisible differentiators like product security
Whether regulation can serve as an effective mechanism in encouraging product security improvements
How companies can work to overcome the complexities of product security programs
The SBOM as a product security tool and whether it could also be a roadmap attackers can use to target your connected device ecosystem

Penetrating the invisible differentiators of product security

11842-LinkedInQuoteGraphic_Episode13_Quote1_v1

Competitive pressures force many manufacturers to sell their connected devices on razor-thin profit margins that don't easily allow investment into often-invisible differentiators like product security. That is why it's often on the chopping block when trying to meet a price point. In consumer IoT, where manufacturers sometimes white-box a set of firmware across multiple manufacturers, multiple SKUs can all suffer the same endemic problems with vulnerable code.

How do we make room for basic security fundamentals that prevent or mitigate vulnerabilities? How do we make sure we remember to check for critical flaws before we seal the box on these devices?

On this episode of the IoT: The Internet of Threats podcast, Larry Pesce, Finite State's new Product Security and Analysis Director, joins me to explore how we make sure product security remains a priority when cost-cutting pressures mount.

Why Do I Need an SBOM Anyway?

11842-LinkedInQuoteGraphic_Episode13_Quote2_v1

Many products within OT networks were designed for 20- to 30-year lifespans, and those lifespans are expiring. With the rising likelihood that OT products may harbor serious security issues, how can an SBOM help? And should regulation play a role in helping security practitioners see its value?

Hear Larry Pesce, Finite State's new Product Security and Analysis Director, explain the value of the SBOM in OT environments and why it's a lot more than the check-box assigned to this valuable tool by some.

Episode Details

Since joining Finite State, Larry has been serving as a senior consultant, providing expert product security program design and development and IoT pen testing guidance and services to product security teams worldwide. He is also a Certified Instructor at the SANS Institute and has co-hosted the Paul's Security Weekly podcast since 2005. Before joining Finite State, Larry spent 15 years as a penetration tester (amongst his various roles) focused on healthcare, ICS/OT, wireless, and IoT/IIoT embedded devices. Larry holds several GIAC certifications and earned his B.S. in Computer Information Systems from Roger Williams University.