As a user of connected products, you may not always be able to see how hard it can be for product manufacturers to have an accurate and complete inventory of the software components that make those products work.
Why? If they make the connected products, they should be able to say what’s in them, right?
That’s not always often usually so.
It’s a challenge for the people building the products because most of those products are created using a lot of software, from many different sources and suppliers.
Think about an IoT device, like a wireless router. That wireless router has different chipsets that come with radio software, open-source software … many kinds of software. Some of that software may be embedded within the device, which has a web interface, making it exploitable.
That small wireless router represents its own complex ecosystem of components with distinct suppliers and supply chains.
That reality makes it difficult to generate an inventory of its components—an SBOM—and assess its product security and software supply chain security—even if you’re the one who’s building it. So, where do products manufacturers, and the product users who rely on their product security controls, go from here?
For Product Manufacturers: Creating a comprehensive software component inventory
Finite State helps product manufacturers scan their inventories and see inside the binary artifacts within their connected products. After they have an accurate inventory for their products, they can use these inventories to monitor these components for new vulnerabilities and threats as they emerge and are reported.
For Asset Owners: Manufacturers don’t control all the code in their environment either
Many manufacturers face the same challenges as asset owners. They don’t create all their code. If just 20% of the code in their products is first-party that their engineers wrote themselves, the remaining 80% might be open-source or developed by a supplier with different and possibly less stringent internal controls.
Even manufacturers need to work up their supply chain to make sure they know what is in their ecosystems and the problems they need to fix. In this scenario, manufacturers, like asset owners, must:
- Recognize that a vulnerability exists and that it needs to be managed
- Provide enough information to their supply chains so that suppliers can work with them collaboratively to mitigate the risk
Tackling the vulnerabilities and threats that chip away at the confidence in a connected product’s security is hard work, and it takes time, money, and resources that could be invested in the other “fires” that need tending within many of our companies.
So, how do assets owners, the users of these connected products, create the impetus needed to overcome that friction that hard work sometimes generates?
The Power of the Supply Chain
As complex and nebulous as product supply chains can be, they also offer a way to effect positive change to those who can harness their power.
Suppose you have that chipset. The software on that chipset may have been built by a company that sells that software to 100 different companies that each include it many different products. Those 100 companies each become a stakeholder in wanting to see that code secured. But, the chain doesn’t end there—it also includes the customers of those 100 companies, which could easily grow that number of stakeholders who want to see that code fixed into the thousands, or even millions.
Each of these manufacturers and users of the products that include this code becomes a stakeholder whose voice can influence the effort and action needed to remediate the vulnerability or threat—however, it’s only through the transparency of knowing which components you have, and the vulnerabilities that apply to those components, that you have the information you need to know where you’re exposed, and what needs to be fixed.