What makes a device truly secure, and what does device security truly mean? To find out, we interviewed our experts at Riscure, now part of Keysight. As they shared their thoughts, several common themes stood out, including why compliance, product longevity, and efficient vulnerability analysis are the key factors in success of device security.
The hardware dimension
Hardware vulnerabilities open an entirely new dimension of threats. Experience shows that even with the most thorough attention to software security, devices may be breached because of sophisticated hardware attacks. Hardware vulnerabilities can allow attackers to bypass software security measures entirely, especially when the device was not designed with security in mind.
We frequently emphasize the importance of considering hardware attacks when testing the security of a device. By doing so, developers can anticipate the methods attackers may use to exploit physical components, whether through side channel attacks, fault injection, or tampering. These hardware risks show why viewing device security holistically is essential—it’s not just about the software, but the entire system.
More than a checklist of compliance
While regulatory compliance is often the starting point for security, it’s important to recognize that compliance alone does not guarantee a secure device. “Certification doesn’t mean that the device is 100% secure, as that is also simply not possible,” said Nisrine Jafri, Senior Security Analyst, Riscure Security Solutions. “However, it means that it conforms to the scheme requirement for the specified certification level.”
Following regulatory guidelines ensures a baseline level of protection, but attackers are adept at finding weaknesses that regulations may not consider. True security requires a more dynamic approach, one that anticipates vulnerabilities and considers the device as a whole system.
Longer product lifecycles
The longevity of devices is another key factor in device security. Some devices are used for a longer period than regulations can keep up with. Some devices, such as IoT or automobiles, often remain in the field for 5 to 20 years. This long lifespan introduces unique risks, as products developed today might be exposed to more advanced adversaries in the future.
“Sure, if the product is there for a few years, there is time to update its security in the following release. But if the product is there for 20 years, especially a world where it is crucial to keep up adversaries, it is vital to make sure the product is very secure,” said Senior Security Analyst Chris Berg.
It’s therefore crucial to adopt a forward-looking perspective, ensuring that security mechanisms can adapt throughout a product’s life cycle.
Learning from other industries
Industries that handle highly sensitive data, like payment systems, have been at the forefront of device security innovation for decades. The lessons learned from securing credit cards and payment terminals can often be applied in other sectors. The security practices in these fields are the result of years of refinement, regulation, and understanding of real-world risks. Bringing that same level of rigor to other industries—whether mobile, automotive, or IoT—can significantly raise the bar in security.
As compliance in security is still evolving, consumers are more security cautious than ever in selecting their devices. “In some industries, security evaluation is voluntary,” said Senior Sales and Business Development Manager Hanna Humenyuk. “As consumer perceptions shift, we observe more organizations who are not obliged to comply now conducting their own risk assessments.”
Security is hard, and insecurity is easy
High level of security is not something that can be easily added to a product. On average, human error introduces 15 bugs per 1,000 lines of code, and while these vulnerabilities may be unintentional, fixing even a single flaw often requires significantly more time and effort than writing the code itself. It is much easier to create insecure products—whether due to overlooked vulnerabilities or an incomplete understanding of the threat landscape.
Techniques like threat modelling are often used to narrow the scope of analysis to focus on the most crucial parts that need security. As Principal Security Analyst Praveen Vadnala noted, “Device security, for me, is looking at the important assets in the device and developing ways to protect them. Security considerations need to be translated correctly to development requirements throughout all stages, reflecting on and reviewing assumptions made from the beginning to the end.”
Spotting mistakes early is important
Mistakes are inevitable, and no software is free of bugs or vulnerabilities, but the key is recognizing this reality and developing the knowledge and tools necessary to spot and correct these mistakes before they can be exploited. Device vulnerabilities may be introduced early in the development process and may go unnoticed until it’s too late. This is why it’s crucial to embed security practices throughout the entire development cycle—from design through production. Security should not be an afterthought or a feature that is added on later. Instead, it must be built in from the ground up.
“It is ensuring that the security is implemented properly, starting from the architecture level, continued in the design, and finalized during the implementation of a device,” Vadnala said.
By embracing a security mindset, learning from robust industries, and being aware of common mistakes, companies can develop devices that are not only compliant with current security regulations, but are also secure in the long term.