In-brief: A senior attorney at the Electronic Frontier Foundation warned about the security knowledge gap facing traditional engineering firms as they pivot to making connected devices.
There’s an interesting write-up over at TechCrunch of a panel at the recent Disrupt New York Conference that waded into the security and Internet of Things question. The panel, which featured Nate Cardozo, a Senior Staff Attorney at the Electronic Frontier Foundation, and HackerOne CEO Martin Mickos.
One big question that came up concerned the security of embedded systems, including medical devices, voting systems and automobiles, the TechCrunch article notes.
“’These companies have never really had to worry about security because they’ve never really had anything with networking,’ said Cardozo, discussing the risks posed by the rise of the Internet of Things (or “the Internet of some other four letter word“, as he put it).’Why are we putting radios, why are we putting networking in everything?'”
Traditional engineering firms without deep expertise in information security “don’t know what to do with a vulnerability report,” Cardozo said. That’s a far cry from software firms like Microsoft and Apple, which have had decades to get their processes right.
Mickos of HackerOne, which helps broker bounty programs for companies, said the best hope for securing digital data is to shift from proprietary to open source code. Companies need to understand they need to share their security burden by inviting in outside experts to help.
“In the old security paradigm people felt that human beings were the problem and tech is the solution. I think we’re now learning that actually tech is the problem and humans are the solution,” Mickos is quoted saying. “By inviting everybody out there to help you and have a neighborhood watch where they can find your vulnerabilities is actually the fastest way to secure a system.”