Securing the Release: Pen Testing, Patch Management, and Compliance in Practice

Moving on to the testing cycle. Again, you do dynamic testing for security. Also, you wanna do penetration testing. And usually, in practice, penetration testing should be done, a light one, at every release even if you're releasing every month or every quarter. But at least a full blown penetration testing either if you have capability internally or using an external, you know, vendor. You want full blown penetration testing at least once a year or during any major architectural changes of the product. So if you have a release where you are changing, adding major components, you wanna make sure that you do the full penetration testing. So moving on to the right side, obviously, when you want you'll make sure you are releasing the product in a secure manner. And by that, what I mean is you secure the distribution channel. Many of, you know, IoT and embedded suppliers, we we develop the binaries and even put it on the website to be downloaded and installed by the customers to make sure you have, you know, security in place for the for the artifact in terms of, you know, integrity, authenticity, and other checks. You you wanna secure the release artifact itself through digital signature and other three code signing approaches. And then, you know, when you are deploy deploying, make sure you are deploying with the secure default configuration. So from the get go, it should be secured. Make sure system is important. And then during the operations, the things we talked before, make sure your vulnerability management in place, you are identifying, you know, managing, remediating vulnerabilities. You have incident response, not just a plan, but a plan that is practiced frequently enough to to be ready for any time, you know, set up proper patching and update cadence, establishing especially for IoT and and all the cloud side things, you wanna make sure you have complete visibility and monitoring all the time for entire back end cloud infrastructure application and and and everything else that you're hosting. And then you gotta have a very clear understanding of how long. In fact, CRA is going to require you to declare how long you're going to support the product from security patching perspective and when it will when the plan end of life is. So, you know, in our experience and, you know, me personally, many places, you start building these high level capabilities. You will set foundation alignment to any security standard or, I mean, should be regulation.