I’m glad to see the first stand-alone cyber security legislation passing in to law today in Australia. The regulations around device security will be fascinating to observe as there are often conflicting incentives at work.
I know first hand how difficult it is to ensure third-party devices meet security requirements. I was responsible for ensuring that third-party devices meet Amazon’s high security bar before being allowed to onboard to Prime Video. This included TVs, set-top boxes, sound bars, and other “living room devices”.
Many device companies have the “pile it high, sell it cheap” mentality, where they are operating on short product lifecycles and small margins. They put out a new product every few months and even getting them to support their own devices with security updates past a year or two after production is difficult.
Such manufacturers are notoriously parsimonious when it comes to spending on security. For example, will every device need a hardware pentest? That alone could eat up all profits on some long-tail devices.
If the manufacturer only has to offer a statement of compliance to certain security requirements, can we trust them to be honest? And, if the devices are not tested, how can the regulations be enforced?
It will be interesting to see how Australian Government handles these questions.
I’m Gene. I use my software engineering and red team experience to drive security uplift initiatives. Most recently I led the offensive …
More
This Attack Model maps potential attack vectors in a typical forgotten password …
STRIDE has not aged well… I’ve seen first-hand the …
A few years ago I was brought in to help with …
Let me tell you a story… A few years ago, I was …
The news of Hezbollah agents being targeted with …