keynote panel: An E2E approach to tackling data security challenges of the IoT
Right now we have lots of theory about security, so intellectually we are good. in practice we are terrible – old devices, devices that cant update, etc
when you learn dev you dont learn security – you learn functionality and speed. securoty is an afterthought. Security is seen as complex and expensive, but its not, its common sense.
security by design: clean code, test – less code, less bugs. think about what can go wrong – think about it before it happens!
security isnt a product, its a continuous process. Train devs to build secure code! teams of devs need to work through the whole lifecycle.
consumers are becoming more aware of privacy issues (together with security) – there are data security challenges too. the scope of what defines security is changing: content, data, privacy, application, code, protocols – its starting to affect safety too – if security is compeomised on a safety device you could end up impacting safety
hardware security is a whole other topic – hardware is more mature (but still gets bugs eg intel)
its hard as ROI on data security challenges of the IoT is hard to measure – it costs money for security, but difficult to measure returns.
Everyone should be doing risk assessments. Know who your adversaries are. If you have three letter agencies coming after you, then you have no chance! governments have infinite money and resource!!!
commercial offerings for consumer and enterprise etc fingerprinting devices, checking known vulns etc fsecure want a gateway to protect the home (security into)
not all security risk is technical.
do red team blue team scenario excercises (to test response to things) eg simulated wargames (I like this idea) to test your readyness as a team for various incedent responses
challenge your vendors
think about your risks
its about responsibility and education
enable your developers!