My team talks a lot about “proactive security” – the concept of baking cybersecurity measures into architecture and design as opposed to responding to vulnerabilities and breaches when they occur. However, I lacked a quantitative answer when recently asked: “how do you convince businesses to start being proactive?”
Windows developers may be familiar with “banned.h” or “strsafe” libraries. Introducing safe libraries to development is nothing new, as was covered in the 2007 presentation on SDL for Windows Vista (slide 7). While basic, these basic libraries have been shown to provide significant value - as discussed later in the deck, 41% of bugs that Microsoft removed in Vista early on were due to removal of ‘banned’ API function calls.
While we are always excited to both learn and share the latest technical developments in cybersecurity (the recent Black Hat and DEF CON conferences were no exception), we also enjoy stepping back once in a while to look at macro trends in the embedded security industry. While security is a top priority in many enterprise and industrial settings, here are three key concepts that we think are important for us all to keep in mind: