Some product management decisions are hard. Product managers are constantly weighing trade-offs among time-to-market, functionality, competitive differentiation, development costs and other factors.
But some product decisions seem like no-brainers. Would you bring an IT product to market that puts customers at significantly increased risk of security breaches, privacy violations, potentially massive fines, and lawsuits?
“Of course not. That would be lunacy,” you can imagine the typical product manager as saying. Yet companies are shipping products every day that introduce this sort of risk into customer environments.
The ‘Moving Target’ of Security
The issue is not that all products are inherently non-secure on the day they are shipped. Many vendors take great care in ensuring products are secure from day one of design.
The central issue is that a deployed product can suddenly become exposed to compromise as threats evolve in the wild or deployment modes change.
Zero-day exploits emerge that take advantage of very old vulnerabilities that previously were low severity. New modes of product deployment or use cases can suddenly expose a system to new environments and potentially unauthorized access.
The formula is simple: Environments, deployment and use cases are constantly evolving, so the product itself must evolve along with them. Security in that sense is a moving target.
Stated another way, if a product is released and deployed but not properly updated and patched continuously as the threat environment changes, then that product has effectively been “abandoned” and grown “stale.”
And an abandoned product is a product with an unknown, potentially massive attack surface, posing potentially equally massive risk for the deploying customer.
So why is there so little focus on vulnerability management and patch management these days?
Stale Products vs. Full Lifecycle Security
Patrick Mannion writing in Insight.Tech captured the point in a recent examination of how embedded systems are evolving as they become part of the Internet of Things. “Many IoT devices are ‘abandoned’ without active updates,” he says, “and so over time they become vulnerable to new attacks.”
The point was also highlighted by Tony Kontzer writing in the RSA Conference update blog recently.
SecurityScorecard released a 2018 report showing that cybersecurity in the healthcare industry is growing worse, not better, Kontzer wrote, citing “proliferation of connected devices, the rise in social engineering attacks and a lax approach to patches” as among the reasons.
In addition to poor patching and update practices leading to “stale” products that are not properly protected, the new ways in which products are used can make previously unimportant security issues more relevant.
One of 2018’s higher profile security issues illustrates this aspect. A report in July estimated that a widespread vulnerability left nearly half a billion deployed IoT devices open to compromise.
Was this some advanced persistent threat, breaking radical new ground in exploiting a previously unknown vulnerability?
Not at all. It was a 10-year-old vulnerability, widely reported and understood and previously considered to be low risk. But researcher Brannon Dorsey found that DNS rebinding had suddenly become relevant and risky because of the new ways products affected by it were being deployed.
These industry trends underscore the point about managing a device’s security throughout its lifecycle. A product’s security posture and the risk posed to customers using it must be managed throughout the product lifecycle. That means:
- Monitoring vulnerabilities that affect the product on an ongoing basis, such as CVE monitoring.
- Patch monitoring and making patches readily available and easy to manage and apply.
- Evaluating potential new risks from new use cases, including risks from old vulnerabilities that previously might have been of low importance.
Maintaining secure products
Timesys’ customers and partners have implemented the industry’s best practices for monitoring vulnerabilities and managing patches throughout their product lifecycles.
Our Threat Resistance Security Technology (TRST) Product Protection Solutions enable device makers to produce products that stay secure via our Security Vulnerability and Patch Notification service.
Visit www.timesys.com to learn more.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.