What should we in the world of Embedded InfoSec be focused on?
I’ve already touched on some of the “myths” of embedded InfoSec in a previous blog post. But what are the realities, or more accurately, what is the penultimate reality we face?
Vulnerabilities!
All the rest of the topics in embedded InfoSec are nothing but ‘noise’ compared to vulnerabilities. If we could perfectly mitigate all vulnerabilities, none of the rest of the trappings of InfoSec (tools, techniques, or procedures) would be needed. When you hear an “expert” focusing more on these external trappings (especially when they have a vested interest in selling some to you), run away!
The best course of action is to eliminate vulnerabilities to the greatest extent possible. This implies:
- Identifying the vulnerabilities
- Crafting mitigations for those vulnerabilities
- Understanding the level of effectiveness of the mitigations (repeat step #2/#3, until perfectly mitigated)
Vulnerabilities are generated in two major phases of product lifecycle:
- Design
- Implementation
Due diligence for design-based vulnerabilities is performed by decomposing “the system” into potential vulnerabilities. I prefer the STRIDE method created by Microsoft (nothing is perfect, but the rough edges are well known for STRIDE and can be avoided). This list of potential vulnerabilities is then scored (there are many different scoring methods; I prefer a modified form of CVSS). Those above a certain level are assigned mitigation priority. Rescore the “mitigated vulnerabilities” based on the effectiveness of the implemented mitigation.
Implementation vulnerabilities are introduced by the development team, usually as the result of insecure development practices. These can be mitigated via means such as secure source code static analysis, security reviews/walkthrough, and validation testing (I’ll discuss these more in future posts). Fix these when you find them; there is no acceptable lower level.
Don’t get distracted by tools, techniques, or procedures – or any of the other myths we busted a few blog posts back. Keep reminding yourself and your team what should dominate your focus: “Vulnerabilities!”