This article was co-authored by Matt Wyckhouse, CEO of Finite State.
Over the past decade, we have seen the rapid adoption and expansion of connected devices and embedded systems among businesses. This includes anything from the Internet of Things (IoT) to connected medical devices, building systems, Industrial Control Systems (ICS), and other devices that power our lives and our infrastructure.
In recent years, improved connectivity and the rollout of expanded 5G service is providing an even bigger opportunity for organizations to untether these devices and deliver a rich experience across the enterprise. The result is a swell of highly sophisticated and complex devices; by 2025, the number of connected devices is expected to hit 55.7 billion globally.
Veracode has long been a leader in application security, offering static analysis, software composition analysis, and dynamic analysis, and has now entered into a partnership with Finite State, an expert in connected device security, to help our customers fully address their product security needs.
While advances in connected device technology have opened the door to new capabilities with greater operational scale and increased efficiencies, devices come with a unique set of security challenges.
Key challenges in securing connected devices
- Complex and opaque supply chains make it difficult to assess risk. With a globalized economy and expanding use of open source software in the creation of these devices, it’s becoming more difficult for device manufacturers and their customers to know what exactly is running inside their products and the scope of the security and license risk lurking within.
- Only about 20% of code in these devices is first party, on average. Sometimes it’s as little as 5%. Open source makes up a huge amount of the components in connected devices — anything from libraries to operating systems can be open source or created by a third party. Traditionally, device manufacturers analyze their first-party code (a difficult process in and of itself) as part of their security program requirements. However, as first-party code has become a smaller component of the underlying code in these devices, manufacturers are often left in the dark when it comes to the majority of their device components.
- Greater use of open source presents heightened license risk and compliance adherence. Development teams want to make use of open source componentry to increase speed and scalability of development. However, prolific use of open source expands the tracking and reporting requirements on organizations to maintain compliance with license obligations. Legal and Compliance Teams need near continual update and ongoing assessment of open source license use for audit and other compliance purposes. Manual efforts to do so no longer meet the scaled use of modern product development organizations.
- An increase in publicly reported vulnerabilities and security breaches around connected devices is causing customers and regulators to ask for more transparency into product security. Supply chain attacks on connected devices are not new, but the proliferation of these devices has created a larger attack surface than ever before. As organizations adopt these devices more broadly across the enterprise, attackers find greater opportunity to inflict damage and monetize their activities. As a result, we’re seeing an increase in regulations surrounding connected devices and their supply chains, as well as a growing number of end users who want proof that these products won’t be putting their networks at risk.
- There is very little tooling available due to the complexity of the analysis and the types of architectures and systems that must be analyzed. Analyzing device firmware requires an approach that tests an entire system made up of hundreds of programs, including drivers, applications, and operating systems. The only way to truly understand what’s in your device is to use tools that were built specifically to handle the complex file formats, system configurations, binaries, and processor architectures found within these devices. Few vendors exist today that can analyze first- and third-party code across this complex landscape in a unified manner that fit modern development workflows.
- Security issues are much more costly to fix after deployment. In the AppSec space we have seen a huge push toward shifting security left in the development process — that is, addressing security issues earlier in the process. The reasoning behind this is not only to ensure that security vulnerabilities are caught earlier, but also because the cost associated with remediating security issues later in the development process is much higher given how much more work is required. Not only does this also apply to connected devices, but in fact it is even more crucial to ensure that these security flaws are caught before the devices are shipped and deployed. Because we are dealing with physical devices, having to address these issues after deployment could potentially require an entire team to have to travel to the location of the devices to ensure that they are updated and configured properly whenever a new issue arises.
Why should device manufacturers care?
It’s no secret that attacks on connected devices are increasing in frequency and sophistication. But many device manufacturers have yet to invest in preventing even the most straightforward breaches. Take, for example, a recent breach of Verkada security cameras, during which hackers were able to gain access to live feeds of over 150,000 security cameras inside companies, schools, police departments, and hospitals.
In this instance, the breach required fairly unsophisticated methods to gain access to these devices. The hackers were able to enter Verkada’s cloud environment by using hard coded credentials that they obtained through an administrator’s account which had been publicly exposed on the internet. From there, they were able to compromise the devices themselves through a hard coded backdoor in the devices that should not have existed. A robust security testing program must be able to catch issues in the cloud and detect software and device-level security issues, especially those that allow backdoor access into the devices themselves. This attack and so many others could have been avoided with the right tooling and DevSecOps programs in place.
As we’ve seen time and again, not optimizing your product security processes to provide comprehensive analysis for connected devices and embedded systems brings high risks and high costs. The cost of a breach itself can be devastating. Not only must your organization allocate resources to address the compromised products, but your customer support and PR teams will need to work overtime to reassure customers, prospects, and the general public. A breach or an attack involving your products can have an incredibly damaging and lasting effect on your reputation as a company, and that trust will take a long time to rebuild.
There is more at stake beyond just the cost of an attack. The rise in high profile breaches and subsequent regulations have led customers to seek increased transparency in their procurement processes. Lack of hard data and proof of security is increasing the length of sales cycles and creating additional steps in the sales process that require time and resources to address. Increasingly, government entities and those who do business with them are starting to implement strict procurement guidelines.
Finite State’s comprehensive product security solution
Addressing these challenges can be difficult and costly, but the cost of doing nothing has the potential to be significantly worse. Traditional penetration tests and vendor surveys can give you some insight into the risk of connected devices, but they are not comprehensive or scalable and only focus on a single point in time versus the entire lifecycle of your product.
The Finite State solution is a comprehensive product security platform that leverages automated tooling to analyze your connected device products at every stage of their lifecycle and enables experts on your team to work quickly to resolve security issues.
Finite State’s platform has a scalable, SaaS-based model like Veracode, but is built specifically for connected devices and embedded systems. It offers Software Composition Analysis (SCA), Static Application Security Testing (SAST), and static system testing to show you which components and security issues are baked into your product firmware and where your supply chain and open source vulnerabilities lie. Using the Finite State Platform, your team can automatically uncover:
- Comprehensive risk information, including a complete Software Bill of Materials (SBOM) that shows supply chain, open source, vulnerability, and compliance risk.
- Robust issue management capabilities and remediation guidance that empowers your team to address security issues quickly.
- Executive-level reporting that allows you to communicate quickly and effectively with leadership, board, and customers.
- Dashboard and portfolio views that allow you to see which of your devices are affected by new threats and vulnerabilities.
Contact your Veracode account manager to learn how to take advantage of this partnership.