Welcome to part 4 of our ongoing series of blog posts exploring product security and the software supply chain. In our last blog post, we covered the third step—Prioritization—that companies take on the road to connected device security.
Today, we move on to Step 4— Remediation. If you’d like to jump ahead and see the rest of the six-step process, or even just look at everything, all at once, you can read our comprehensive white paper, The Ultimate Guide to Connected Device Security, here.
Remediation - The Path Best Traveled
After you've discovered, assessed, and prioritized your vulnerabilities, you need to start doing something about them. The path you take to do that depends on whether you own the code in your connected device or you’ve purchased it from someone in your software supply chain.
If you manufactured the product that has the vulnerability, your product security team may already have the inside track on how to remediate the affected code. But, what if you're facing multiple high-risk vulnerabilities that span several products?
Even when prioritization brings some efficiency to the remediation process, your timeline still depends on your resources, time, and budget, and that's not often within one person's control. To show a return on the resources required for remediation, manufacturers can run and compare post-fix scans to pre-work scans to show the progress they've made.
Asset owners also often find themselves approaching these same product security teams when they need the vulnerabilities lurking within their code fixed. However, it's even harder to corral those time and resources when they're not even in the same company.
Convincing a product manufacturer to remediate vulnerabilities and weaknesses found within their product isn't always an easy ask, and they don't always say 'yes.'
Why Don't Product Manufacturers "Care" More about Product Security?
Product security is often an "invisible differentiator," which results in some claiming that it's not a differentiator at all. Product security, or the lack of it, is most visible something goes wrong, or, even terribly wrong-like when you trace a new celebrity CVE into your product ecosystem.
You can also "see product security" when you have advanced tools like SBOMs that help you get continuous visibility into products, all the way to the subcomponent level. But, even when you have a list of what you have, and you have a connected-device security partner like Finite State to help you tie that list to known vulnerabilities, how do you convince product manufacturers to remediate their vulnerabilities and weaknesses?
Convincing Product Manufacturers to Take Product Security Seriously
In the end, how can you, as a purchaser of an IoT/OT product convince a manufacturer to remediate vulnerabilities and weaknesses?
You can always wait for an update to bring new software or firmware that addresses the vulnerability, but what if you can't wait? If the stakes are too high like they often are in medical care, critical infrastructure, or connected vehicle applications?
While many asset owners cannot resolve vulnerabilities without the help of product manufacturers, they can effect change with the power of the purchase order.
When asset owners have SBOMs and vulnerability assessments at their disposal, they have the information they need to encourage vendors to improve their product security postures.
Quite simply, asset owners can ask vendors to make changes and withhold future purchases until they do.
Important Note: Relationships between asset owners and product manufacturers don't have to go bad when product security concerns take the spotlight. Collaboration often results in a better solution for both parties and leads to a more secure cybersecurity environment and can be fostered by the product security and supply chain security vendors who work as intermediaries, connecting asset owners and manufacturers so they can communicate more clearly and collaborate more effectively.
Learn more: Read the Ultimate Guide to Connected Device Security
To truly defend your connected product—and the services it will provide—you need a solution that helps you address and resolve the risks presented by the vulnerabilities and weaknesses within your IOT/OT ecosystem. That’s why the remediation stage of the connected device security journey is so important.
Are you ready to begin down your own road to product security?
Finite State’s Ultimate Guide to Connected Device Security explores product and software supply chain security and how to identify, assess, prioritize, and mitigate the vulnerabilities that lurk within your connected devices.
Download Finite State’s Ultimate Guide to Connected Device Security today!
You May Also Like
These Related Stories