So, you’ve just been hired as Product Security Director at the hottest Automotive company out there. What should you do?
Connect with the R&D teams and explain how you can help them and what efforts you can offload from their plate. If you can help them with integrating a tool – great! If you can connect them to peers at other companies who might share their experiences – also great! But even if not, an offer to give a presentation at their weekly meeting with interesting accounts of Cyber-attacks on vulnerabilities relevant to your industry might be received well. In-person is better than zoom, but these days, we take what we can get.
Get visibility into planned projects and projects in progress, to understand vulnerability exposure and the possibility of reducing risk (and complying with WP.29). You want to work with Engineering leadership to get an overview, and to understand management priorities: Which is the most important project to start with? Is there a product that has already been attacked? Which products would have a wider distribution? Has the organizations done any form of Threat and Risk Assessment (TARA)?
Find out who your suppliers are. Once you identify 3rd-party software providers – build the software’s Bill of Materials and assess the security posture of supplied ECUs and other software. If there is already someone in your organization responsible for mapping 3rd-party vendor risk in general – work together! Reach out to the vendors and offer to share the findings uncovered by your scans of their provided binaries, early in the process.
Initiate meetings with management to agree on expectations for security posture of current and future projects. Understand what has been done in the past. Discuss Industry best practices and risk profiles.
Recommend tools and processes to make it easy for R&D to seamlessly improve security postures. Possible quick wins are Threat Assessment& Risk Analysis, Software Bill of Materials, Runtime Integrity tools, and Security Remote Monitoring.
In summary: Learn, Connect, Delve into Issues, Plan, and Integrate State-of-the-Art Tools. Have a safe and secure journey.