One theme that frequently comes up in my conversations with experienced security veterans when we talk about security and “the Internet of Things” is the absence of what might be termed a “security culture.” That’s a hard term to define, but it basically describes a kind of organizational culture that anticipates and guards against online attacks. Certainly companies that have been selling software in any great number for any amount of time have had to develop their own security cultures – think about Microsoft’s transformation following Bill Gates Trustworthy Computing memo, or Adobe’s more recent about-face on product and software security.
But that culture is lacking at many of the companies that have traditionally thought of themselves as ‘manufacturers’ – makers of “stuff,” but which now find themselves in the software business. Think General Electric (GE) or – even better – auto makers.
A couple of months back, I had the opportunity to sit down with Chris Wysopal of Veracode and Josh Corman of Akamai Technologies for the inaugural episode of “Talking Code” to discuss the challenges these companies – and their networks of suppliers and business partners. One of the key observations that was made by Chris was that “security,” as opposed to “safety” requires a notion of an adversary – someone actively trying to compromise your product.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
You might also like: “Unsafe At Any Speed: Are Automakers Failing The Software Crash Test?“
“There’s an attacker who has something they want to control, and that’s hard for these engineers to understand,” Wyospal told me. “They don’t understand that there are people out there that want to do bad things.”
Here’s a link to two segments from our talk. In the first, we talk about the specific challenges to the automobile industry.
In the second, we go into more depth on how to secure the software supply chain, especially when it comes to the third party software that is a standard part of most modern applications.
There’s more to this conversation, as well. If you want to watch the entire thing at once, point your browser over to Veracode’s web page and register to download the entire Talking Code episode.