Blog

Five Key Elements of a Product Security Program

Assaf Harel, Karamba Security Chief Scientist | April 19th, 2021
binaries

So, you’ve just been hired as Product Security Director at the hottest Automotive company out there. What should you do?

  • Connect with the R&D teams and explain how you can help them and what efforts you can offload from their plate. If you can help them with integrating a tool – great! If you can connect them to peers at other companies who might share their experiences – also great! But even if not, an offer to give a presentation at their weekly meeting with interesting accounts of Cyber-attacks on vulnerabilities relevant to your industry might be received well. In-person is better than zoom, but these days, we take what we can get.

  • Get visibility into planned projects and projects in progress, to understand vulnerability exposure and the possibility of reducing risk (and complying with WP.29). You want to work with Engineering leadership to get an overview, and to understand management priorities: Which is the most important project to start with? Is there a product that has already been attacked? Which products would have a wider distribution? Has the organizations done any form of Threat and Risk Assessment (TARA)?

  • Find out who your suppliers are. Once you identify 3rd-party software providers – build the software’s Bill of Materials and assess the security posture of supplied ECUs and other software. If there is already someone in your organization responsible for mapping 3rd-party vendor risk in general – work together! Reach out to the vendors and offer to share the findings uncovered by your scans of their provided binaries, early in the process.

  • Initiate meetings with management to agree on expectations for security posture of current and future projects. Understand what has been done in the past. Discuss Industry best practices and risk profiles.

  • Recommend tools and processes to make it easy for R&D to seamlessly improve security postures. Possible quick wins are Threat Assessment& Risk Analysis, Software Bill of Materials, Runtime Integrity tools, and Security Remote Monitoring.

In summary: Learn, Connect, Delve into Issues, Plan, and Integrate State-of-the-Art Tools. Have a safe and secure journey.

Read more

Want to learn more?

Contact Us
Loc

Israel

24 HaNagar Street
Hod Hasharon
45277-13
Tel: +972 9 88 66 113

Loc

USA

41000 Woodward Ave
Building East, Suite 350
Bloomfield Hills, MI 48304
Tel: +1 248-574-5171

Loc

Germany

Wasserburger
Landstr. 264, Munich
81827
Tel: +49 172 3991 036