Product Security Is More Than Securing Products

The Product Development Lifecycle

Product security begins with market research and extends through the product lifecycle: supply chain, third-party suppliers, external dependencies, on-system dependencies, infrastructure dependencies, and integrated software, firmware, hardware, and connectivity. It requires collaboration across the product teams, the business, IT, and external providers to ensure secure end-to-end delivery.

product development lifecycle infographic

Understanding the broad swath of specialization and product variations within each unique product category is critical to appreciating the challenge of product security. There are thousands upon thousands of unique design specifications, technical implementations, and custom integrations across a boundless set of industries and product categories in the markets. The following examples illuminate the challenges facing several industries. 

Automobiles: Connected Vehicles

Take the recent attack against CDK Global. CDK makes an application that interfaces between auto dealers and original equipment manufacturers (OEM). This attack effectively shut down automotive operations nationwide, with an estimated cost of over $1 billion. This event highlights the need for organizations to look at their in-house software and any software consumed from external vendors, where security rigor and maturity may be weaker. Other threats and risks in this industry include rapidly emerging technologies, no established security principles, few product vulnerability disclosure practices, no well-established Product Security Incident Response Team (PSIRT) processes, and heavy dependence on the supply chain.

To secure their supply chains, manufacturers must protect all communication paths and ensure they are untampered and from a trusted source. They must also incorporate secure-by-design principles that build in isolation, build in established and trusted architecture with a secure rules engine, and leverage talent with expertise in identifying vulnerabilities to support end-to-end product security.

Healthcare: Medical Devices

Threats and risks include a lag in adopting security guidelines and practices, medical devices running on legacy software, and healthcare data being a major target of bad actors. Several challenges further complicate the defense against these risks, including the complexity of legacy healthcare system devices, the vulnerability of out-of-date operating systems and firmware, the inability to apply traditional security tools directly, connected implantable devices which pose significant security challenges, the specialized expertise required to work with these technologies, a lack of industry standards, and the variation and density of these devices.

To successfully secure medical devices, manufacturers must develop targeted minimum detectable objects (MDO) for risks, implement security best practices, assess their end-to-end product development lifecycle, test application security for MDOs against Software as a Medical Device (SaMD) best practices, implement vulnerability testing and remediation. Recent legislation highlights this shift in thinking. Section 3305 of the Consolidated Appropriations Act, 2023, requires manufacturers to address post-market cyber challenges.

Single-Purpose Devices: Embedded Systems

Single-purpose devices are designed to perform one task. Embedded systems are a subset of this technology. They are purpose-built to execute a specific function within a larger mechanical or electrical system (e.g., microprocessors or cruise control in automobiles). Threats and risks specific to this industry include compromises that can impact a larger scale than just the entry point due to the embedded nature of these devices, an industry-wide focus on performance over security, and a failure to engineer products with security features foreign to attacks. Challenges complicating this landscape include the enablement of technologies that exceed the pace of safeguarding practices, the system’s specialized nature spanning a spectrum of attributes, the rarity of industry-specific communication protocols, and a lack of security principles integrated into the design and development phases, which require the most oversight and control.

Keys to securing these devices include following common industry standards and best practices and leveraging industry knowledge and skills focusing on core security. MITRE’S EMB3D Threat Model gives device makers a common understanding of vulnerabilities attackers are targeting.

The Journey Forward

Connected things are growing at an unprecedented pace. A recent Statista report predicts that the number of Internet of Things (IoT) devices worldwide will almost double from 15.9 billion in 2023 to more than 32.1 billion in 2030. Amidst this rapid expansion, product manufacturers find it challenging to protect customers against malicious actors seeking to exploit their products’ security vulnerabilities. Doing so requires discipline across the entire product lifecycle, including external integrations and supply chain dependencies.

Product security concepts are still evolving and unique across industries and product categories. Booz Allen recommends practice themes related to system and vulnerability testing, program-level assessments, architecture reviews, and supply-chain risk assessments. The skills and knowledge required are tightly coupled to industry and product-specific categories, especially in the system and architecture realms. 

Contact Us

Learn more about how to protect your customers against malicious attacks by securing your entire product lifecycle and supply chain.



1 - 4 of 8