Security Processes for
Application Security vs.
We can learn a lot from the application security space when it comes to building out product security processes for connected devices.
While apps and devices are fundamentally different things, some
AppSec approaches translate well into the product security world
provided you have the tooling and expertise specific to connected
devices and embedded systems.
Before we dive into the processes themselves, let’s briefly take
a look at why traditional AppSec tools don’t work on connected
While an app is a singular program, a device is an entire system that may contain hundreds of programs along with hundreds
or thousands of configuration files and settings. It relies on a
technology stack (including hardware, bootloaders, OS components,
What this means for device manufacturers is that your job is to
secure everything from the programs to the hardware. AppSec tools
were not designed around these problems. You may think that
these tools might be able to solve part of the problem (e.g. for firstparty software within the firmware of these devices), but in order
to glean the data you need to secure your device, you need tooling
that is compatible with the entire system, not just individual files.
Furthermore, most of these tools don’t have the ability to analyze
and support the embedded system architectures, tools, and binary
formats that form the foundation of modern devices.
Thank You For Your Interest