By Larry Kovnat, Senior Manager of Product Security, Xerox Global Product Delivery Group
On the 17th, McAfee hosted their May #SecChat, which highlighted the current thinking around the security of embedded devices. I participated (@lkovnat) along with my colleague (@dtallinger) offering our perspectives as it relates to our business. As is typical in security when presented with a new threat, most people’s reactions are to dismiss it or minimize it. That seems to be the case here both on the vendor and customer side.
On the customer side, the thought is that “it’s embedded so it’s probably not a risk,” and on the vendor’s side there is in some cases a deliberate reluctance to address security issues either because of cost, time to market or simple inexperience. The security mavens realize the fallacy and danger of such thinking. But are they overreacting?
In the absence of any clear standards for the security of embedded devices many “securitatis” (think “Illuminati.” Can I be Stephen Colbert and invent new words?) want to test and test and then test some more. Too much of anything probably isn’t good, but the problem is no one can yet say how much is too much, at least not to a standard that is generally accepted in the community. So we have each customer defining their own threshold, which is just not workable in the long term. The smaller, less resourced customers simply can’t afford all that testing, so they are probably forced to accept an inordinate amount of risk. At the other extreme, large enterprises devote many resources to testing and may very likely be achieving diminishing returns on all that work.
What is needed is confidence building between vendors of embedded devices and consumers. The vendors need to show first and foremost that they “understand the problem.” They need to have and publish a security development lifecycle process. They need to participate in conferences and show that they understand the particular nuances of security within the domain of embedded devices. And, of course, they need to deliver the technology and services that back it up.
On the consumer side, customers need to hold vendors accountable in the marketplace for their approach to security. Sure they need to test, but they also need to understand the state of current security standards such as they are and be active in recommending which standards provide a risk level that they can accept. Clearly the thinking around the security of embedded devices is still evolving. The ubiquity of these devices makes the energy being devoted to the problem more than well justified.
What do you think – can we find a happy medium?