More than 40 percent of respondents to a 2021 Ponemon Institute report say that product security is a priority in their organizations.
In October 2021, the Ponemon Institute asked more than 600 IT security professionals about the product security strategies they had implemented within their organizations. Here’s a summary of what they learned:
41 percent of respondents report that product security is an organizational priority
50 percent of organizations assess product security before a product ships to customers
59 percent of organizations report losing sales due to product security concerns
Clearly, product security matters to an increasing number of organizations, but not to as many as it should. When you approach your organization about product security, and they ask you to define it, how do you define product security? What makes product security different from other forms of IoT security?
Finally, why should organizations invest resources into product security? Read on for Finite State’s perspective.
Defining Product Security
Product security encompasses the efforts that developers or manufacturers undertake when they build a secure product. It’s important to emphasize the words “when they build” in that definition because product security, done right, forms an integral part of the creation of a product.
Product security is not something that only happens after a product is manufactured, or, worse, when an end-user opens a box that contains, for example, a doorbell camera, and wonders how to make sure that it’s secure. The product security of that doorbell camera should be contemplated before it’s ever shipped to a customer—and even before it rolls off an assembly line.
Product security has been around for a long time, but today, it’s growing in importance and adoption. In the security ecosystem, product security runs parallel to two other well-established categories:
In IoT security, we try to protect devices on our networks with security programs that identify attacks when they happen and then we try to respond quickly—even though these devices are often unmanaged.
In AppSec, or application security, we look to static and dynamic application security testing, as well as software composition analysis. AppSec ensures that development teams are building their applications securely and not setting the stage for lots of fires to put out later because we have insecure network applications.
How Is Product Security Different Than Other Forms of IoT Security?
Beyond IoT security and AppSec, product security helps embedded device teams build secure products. Because embedded devices often combine hardware and software components, product security frequently looks to AppSec to improve software security. But, that’s only part of the solution.
Product security means making sure the products that we ship are secure and abstract tools generally will not work on embedded systems. These tools have been designed to support web applications that run in different languages, on different systems, and according to different deployment cycles than those used in embedded devices.
When they build embedded devices, engineers and developers risk integrating vulnerabilities and threats from third-party components, which can include hardware, software, firmware, drivers, and operating systems. These opaque threats can come from any one of the components that would appear on a Software Bills of Materials, and AppSec tools just aren’t designed to see into the composition of devices, identify potential vulnerabilities, and then determine their severity.
How to Improve Your Product Security
Through the Finite State product security platform, we can help device developers and manufacturers instill confidence in the security of their products. We purposely built the Finite State Platform to assess product security in connected devices and embedded systems and deliver actionable insights, critical vulnerability data, and remediation guidance you can use.
Gain control of product security for your connected devices and supply chains. Mitigate product risk. Protect your connected attack surface.
There are more than 20 billion connected devices in use today. If you’re ready to take the next step toward product security, talk to the Finite State team today. We’ll show you how scalable and automated a leading-edge product security program can be.