One theme that frequently comes up in my conversations with experienced security veterans when we talk about security and “the Internet of Things” is the absence of what might be termed a “security culture.” That’s a hard term to define, but it basically describes a kind of organizational culture that anticipates and guards against online attacks. Certainly companies that have been selling software in any great number for any amount of time have had to develop their own security cultures – think about Microsoft’s transformation following Bill Gates Trustworthy Computing memo, or Adobe’s more recent about-face on product and software security.
But that culture is lacking at many of the companies that have traditionally thought of themselves as ‘manufacturers’ – makers of “stuff,” but which now find themselves in the software business. Think General Electric (GE) or – even better – auto makers.
A couple of months back, I had the opportunity to sit down with Chris Wysopal of Veracode and Josh Corman of Akamai Technologies for the inaugural episode of “Talking Code” to discuss the challenges these companies – and their networks of suppliers and business partners. One of the key observations that was made by Chris was that “security,” as opposed to “safety” requires a notion of an adversary – someone actively trying to compromise your product.
You might also like: “Unsafe At Any Speed: Are Automakers Failing The Software Crash Test?“
“There’s an attacker who has something they want to control, and that’s hard for these engineers to understand,” Wyospal told me. “They don’t understand that there are people out there that want to do bad things.”
Here’s a link to two segments from our talk. In the first, we talk about the specific challenges to the automobile industry.
There’s more to this conversation, as well. If you want to watch the entire thing at once, point your browser over to Veracode’s web page and register to download the entire Talking Code episode.