Security Processes for Connected Devices: Revisiting AppSec

Application Security vs. Device Security
We can learn a lot from the application security space when it comes to building out product security processes for connected devices. While apps and devices are fundamentally different things, some AppSec approaches translate well into the product security world provided you have the tooling and expertise specific to connected devices and embedded systems.
Before we dive into the processes themselves, let’s briefly take a look at why traditional AppSec tools don’t work on connected devices.
While an app is a singular program, a device is an entire system that may contain hundreds of programs along with hundreds or thousands of configuration files and settings. It relies on a technology stack (including hardware, bootloaders, OS components, and drivers).
What this means for device manufacturers is that your job is to secure everything from the programs to the hardware. AppSec tools were not designed around these problems. You may think that these tools might be able to solve part of the problem (e.g. for firstparty software within the firmware of these devices), but in order to glean the data you need to secure your device, you need tooling that is compatible with the entire system, not just individual files. Furthermore, most of these tools don’t have the ability to analyze and support the embedded system architectures, tools, and binary formats that form the foundation of modern devices.

Thank You For Your Interest

    By clicking ‘Submit’ you agree to our Terms of Use. We take your privacy seriously. For more information please read our Privacy Policy. By registering with the Demand Bytes you will automatically receive our weekly Product Update and Technology Insider eNewsletters.