Securing Tech Product Supply Chain Is No Easy Task
Once informed, most manufacturers will make a good faith effort to comply with major clients’ requirements. Moreover, suppliers need to understand that security is a required feature of any connected product. While bringing a product to market quickly and with the right features is obviously necessary for success, securing the product and the customer's data are increasingly critical components of any development effort, he said. "The onus is clearly on the manufacturer to put the controls in place to secure the products that they are going to bring to market," Wright said. Build a security processBaize, who chairs the board of the Software Assurance Forum for Excellence in Code (SAFECode), argued that it is time to stop complaining about how tough the task of securing software and devices is, and instead put in the work to lock down the tidal wave of new products. "A developer needs to do the right thing," he says. "If it is difficult, it is likely because you don't have a software engineering process in place." Manufacturers do not have to take the task on alone, however. Projects—such as SafeCODE's Principles for Software Assurance Assessment and other efforts, such as the Building Security in Maturity Model (BSIMM) — aim to give companies blueprints for how to ensure that security is built into a business and its products. For many suppliers, this will be new territory, James Lyne, global head of security research at antivirus firm Sophos, told eWEEK. "There is a whole industry there that has not suffered like Apple and Microsoft have for the last 20 years, and so have not learned these lessons," he said. Start with training Once companies create a process for improving their product security—or as a consumer, checking the security of your suppliers' products—training, and retraining can help instill the security ethic into the developers' way of working, said SAFECode's Baize. "To solve software security problems we are facing across the board, we need developers to be trained on software security," he said. In the end, however, doing everything right is still no guarantee that cyber-criminals won't find a way to compromise software or to exploit a hardware system, Baize said. "Sometimes software security is like guessing someone life's expectancy," he said. "It is very difficult and challenging, and it is based on a very holistic process—even if you do everything right, there will always be a chance that someone can exploit a vulnerability in the software."
Getting security right is not easy, but with so much relying on information technology these days, the suppliers of software and technology need to put greater effort into hardening their devices, Eric Baize, senior director of product security and trusted engineering for EMC Corp. told eWEEK.