Is it possible to create internet of things systems that are state-of-art in cyber security? Or IoT devices that are painfully hard to hack by cyber criminals and hackers? One thing is for sure: it is almost impossible to add security afterwards; security must be taken into account in the beginning of the product development project.
Create a security model for the product. Understanding your key assets and threats are core issues when creating the security model of your new product. Creating a security model means designing the security controls in such a way that identified threats are mitigated and the attack surface is minimized. These are the core principles of security by design.
Security by Design and DevSecOps
At Etteplan the security by design principle is taken seriously. For instance, threat modeling with help of a security expert helps our development teams identify the threats and design the proper mitigations. Threat modeling and other security tools and methods make products secure enough to be part of safety critical systems.
We call our process as DevSecOps (Read more about DevSecOps). Security is everyone’s responsibility and it is embedded in our R&D process. The value of our service is that the customer doesn’t need to worry about cyber security when the product is ready.
Fuzzing is fun and the HW debugger is our favorite tool
One concrete practical example of our core competencies in cyber security is negative testing, e.g. fuzzing with the Bluetooth protocol. Fuzzing is one of the most effective ways to find 0-day vulnerabilities in the latest IoT protocols for instance. Read more about fuzzing here.
Also, passion for work with hardware, e.g. playing with oscilloscopes and different HW debuggers, makes our people superb hardware hackers!
A good read for understanding secure software development is Ficora’s (Finnish Communications Regulatory Authority) ’Turvallinen tuotekehitys’ guidelines: https://www.kyberturvallisuuskeskus.fi/sites/default/files/media/publication/Turvallinen_tuotekehitys_003_2018J.pdf