Connecting devices with the Internet necessitates a different kind of software security.
Companies naturally protect themselves from known threats. But because there is little security awareness beyond normal IT, a lot of them have only protected the parts they thought about first. Embedded devices (especially IoT devices) have quite different security needs: life cycles, use cases, and most importantly the risk analysis are very different for embedded development.
In the past, hackers had a relatively small attack surface and security needs were relatively low. This is no longer the case. Today, ‘normal’ hackers are more sophisticated – and because of the increasing connectivity of devices, they have an ever expanding surface to exploit.
Of course, your customer doesn’t think about all this. Consumers just want a secure device, without specifying what that means.
Is it possible to deliver a secure device?
Will the invested money be worth it? How will it impact usability, functionality and time to market?
The following picture will help us to understand the problem:
As in the picture, a lot of money is often invested in securing the normal entrance through which we think users (and therefore attackers) will come in. An engineer will put a lot of time and effort into this hurdle to make it as secure as he thinks necessary. That’s one obvious cost. But this approach leads to other, hidden costs.
• These controls will only be a hurdle for the honest user.
• Your customer will be annoyed by needing to insert security tokens.
• Your service technicians will have more difficulty with repairs.
A lot of unneeded costs start to add up. Security becomes an investment with decreasing benefits. An incomplete security strategy doesn’t just mean gaps in your armour. Clunky solutions could be costing you valuable resources in employee time, and lead to complications further down the road.
By contrast, a strategic risk and threat analysis will help you put security in place that works with rather than against your people, saving you future expenses and headaches.
The security level your products need is unique and depends on your customers and business model. You need to decide what you need and what this is worth.
We’d love to help you implement a clean strategy so that security is a gain, not a drain. Get in touch!