Product Security Glossary
What is Product Security?
Product security is the sum of infrastructure security, security operations, and applications security for a particular product or system.
Why is Product Security Needed?
Product security plays a vital role in every stage of the product life cycle. What was once a term associated mainly with embedded systems and connected devices is being expended as software systems are becoming distributed and in many cases span over server, cloud, and mobile applications to deliver their designed functionality to the end-user. Product security includes the functional security of all software layers including 1st party, 3rd party and FOSS code, and configuration security (non code) and tested timely and consistently across the entire product lifecycle from development to post-deployment.
As more and more essential aspects of modern lives are controlled by software products (banking, medical devices, driving, communications, electricity, etc.), securing software products against known and unknown threats is becoming critical the smooth operation of businesses and for to maintain the benefits of our digital economy. Compromised products can cause devastating financial and reputational damage, as well as physical harm, is some extreme cases.
How Do We Achieve Product Security?
A common mistake that product developers make is to think of security as something to consider after the product has been designed. In reality, product security needs to be part of the entire product lifecycle, from the planning and design phase up through the deployment phase. Physical and software security both need to be considered. After all, it’s easier to include secure design concepts from the beginning of product development than it is to tack security on later.
Product development shops should have dedicated product security teams who work closely with company management and with product development engineers. Testing procedures should be in place for every stage of product design and development.
With some programming languages, such as C, it’s extremely easy to write program code that has serious vulnerabilities. Programmers need to be well-versed in the art of secure programming techniques. A problem that has been resolved only in recent years is that many colleges and universities didn’t include instruction about secure programming practices in their computer science programs. Any programmer who hasn’t already been exposed to secure programming practices needs to learn about them.
Software testing should be designed to detect any design or code problems that could introduce vulnerabilities. Product security teams need to perform static and dynamic code analysis, manual code reviews, and unit testing throughout the entire development process. After a product has been deployed, the product security teams need to monitor the CVE databases to see if any post-deployment problems have cropped up. Critical problems need to be fixed as soon as possible, even if it means doing a product recall.
As we said at the beginning, product security is vitally important, due to the number of devices that are connected to the Internet of Things. Lack of product security in these devices could result not only in leakage or theft of sensitive data, but also in death, injury, or property damage. Product development shops need to consider product security at every stage of product development.