Security Programs for Securing Connected Products and Systems

Security Programs blog post header.png

This article was authored by Deja Principal Security Consultant Shahnawaz Sabuwala, who brought to us extensive experience in infosec from giants including EY, Citi, Halliburton, and Wells Fargo.


Industry issues and trends.png

Executive Summary

What is the cumulative cybersecurity risk of an organization’s connected products, systems, and applications (CSP)? Does everyone agree the company is addressing the right risks at the right time? Do all partners understand their roles in responding to security issues?

CSP are driving industry growth across every sector of the market due to their cost saving and product lifecycle benefits. Security challenges have evolved
in this space and are more complex because security requires a different approach today–one that prioritizes not only availability, integrity, and confidentiality, but also control and safety.

In this article, Deja vu Security (Deja) outlines some of the most prevalent challenges posed by todays CSP–including lack of security integration into the development lifecycle–and provides an overview of a Deja approach to integrating security into the lifecycle. Deja can help your organization design, build, and transform its CSP security program, and provide managed security services for your company at every step of the development process.


Table 1.1 - Level of autonomy vs. threat rating

Table 1.1 - Level of autonomy vs. threat rating

CSP and the security challenge

Vuln to remote control.png

The increase in CSP brings mounting risks. In recent years, companies large and small have become susceptible to various attacks and exploits due to open vulnerabilities through their vulnerable CSP. Based on our experience with similar organizations, there are increased risks associated with CSP that send data to other CSP in accordance with their level of autonomy, leading to risks that transcend typical company risks (Table 1.1). These are heightened risks, primarily on disruptions to CSP, in turn causing system/equipment impairment, threat of physical safety, loss of R&D, and other critical issues. These have major consequences such as altered or interrupted automated production processes, and human injury or casualty. In addition, CSP, left unsecured, may affect customer expectations and customer trust. Security concerns have evolved in complexity due to the nature of CSP and the challenges they pose. A shifting paradigm requires that product security prioritizes confidentiality, integrity, availability, control and safety.

Hexagons.png

Top 5 challenges posed by CSP

In an evolving technology landscape driven by CSP, organizations face a myriad of challenges related to incorporating security within the development and post-development phases of CSP. Based on our experience with delivering cybersecurity services to organizations across a variety of industry sectors, we have compiled a list of top 5 CSP security challenges faced by our clients as follows:


Integrating security into CSP

In order to properly identify and mitigate these vulnerabilities, one must understand the environment and technologies that underlie them. Each component has a disparate development methodology, making it essential that the security program be holistic in nature. The final CSP is typically a combination of internally developed and externally sourced components, making it essential to ensure security of the underlying components from the supply chain.

SDL.png

Securing CSPs entails starting an inventory and risk profile, development of policies and procedures around CSPs, security testing, and monitoring. Securing analytics and control backend requires effective practices in software security, continuous monitoring, vulnerability identification and management, and denial of service protection. Finally, securing the operating product involves development of deployment guidance, intellectual property protection, threat intelligence, and incident response capabilities.

A common misconception across organizations is that traditional security controls can still be applied to a CSP environment since defects are fixed at a faster rate. While secure development principles still apply and automated checkpoints need to be built into each phase, the integration point and methodology need to be tailored for adaptation to faster phases and account for the operation’s changes.

Deja’s approach to connected products is unique because it covers the entire product development lifecycle. Maturing risk management is achieved by integrating an advanced risk identification processes into the development lifecycle, and the threat and vulnerability management processes. When implemented correctly, software security effectively manages the total cost of development and strategically aligns information security with business partners. Our approach can be applied to organizations regardless of their development methodologies or whether they build in-house or use vendors.


How can Deja consult and innovate?

  • Assess and design a CSP security program

    • Deja can assess the current product security program maturity, develop a future roadmap, and assess the implementation of a CSP solution.

  • Build and transform a comprehensive CSP security program

    • Deja can design a secure CSP development process and integrate it with engineering teams to determine secure requirements, design, development, and testing. Our team can also design and operate a CSP security governance committee to drive the security program, perform proof of concept for security technologies and build architecture to support adoption.

  • Provide managed security services

    • Deja can operate security services during the development of the CSPs. Moving to a managed service will allow flexibility to scale the team as new CSP integration and maintenance strategies change, while also increasing quality of existing services to align with senior management initiatives.