Three Pillars of Secure Development - Why Nobody Cares and How to Fix That

Thank you all very much for attending. To get started and to get everybody on the same page, I've prepared a short story and a few slides and story goes like this. I came across an interview with the owner of a BMW dealership who said, well, 10 years ago things used to be a little bit different. People came here with a high SPECT expensive car and complained if there was a rattling noise in the dashboard or some squeaking noise from a window seal.

Well, today they come put the key on the counter and are super annoyed if Google or Apple CarPlay does not work and if the iPhone doesn't connect, that's the truth. And this is just the time that we are living in.

I mean, due to covid, everything about digitization, digitization has just happened. It's just there. And of course, I mean so much convenience cloud, you switch your phone, you don't have to pull your data to a use P stick. You simply have have everything at hand all the time. You can connect everything via Bluetooth. You get a new TV set, even your new air conditioner, you can use the remote control of your life, which is my smartphone, your smartphone, your iPhone, your whatever. So that's quite good.

And it's of course no good opportunity to stop that because I don't believe that we want to go back to those living rooms with like 50 remotes on the table. I guess you remember those pictures. So that's just what, what's happening from the behavior, but also from terminology and understanding what's going on. Some things have rapidly changed. I used to know a bank as a building where you need to behave. Everything is super serious and there are people guarding the doors. There's a vault and real money in it.

Today, people getting their first bank account simply tap something on their phone. It's more a feature or a function depending on which economy you look at. It's sometimes really only a feature on an app. So they of course get a little bit risk agnostic because they always believe it's in their device, but at the end of the day, it's a remote control for a bank. So I don't want to be negative here.

I mean, we have a lot of industry benefits with that of course. I mean if you have software at your product's core, you can get after vulnerabilities and security, which I'm gonna talk about today. And of course some upselling potential like when you have a modern car, you can sometimes book functions that you haven't even specked out when ordering the car, like heated seats in the wintertime. So this is just super handy for the manufacturers because they don't have to retrofit something physically.

And of course, on the other hand side, if you are in an IT organization, then you will see people simply not understanding what the problem is. If they simply use kind of a cloud service to maybe build up a CRM for the department and put in some customer data and the IT department goes completely crazy when they find out this means security by design, which is some kind of a gdpr. GDPR term is sometimes only considered something regarding annoyance to follow gdpr.

But with digitization in certain sectors like healthcare clinics and medical devices, of course human casualties are not a theory anymore. We see that when you look at the news, especially in the usa, we've seen some, but also in Germany clinics or healthcare centers have been hacked or there has been a ransomware attack. And it's not good if you have a person in your family that needs treatment and the machine doesn't work. And this is because, I mean of course data and ecosystems, it's all very diverse.

And the the awareness regarding data to be an asset and it's really important is sometimes not at the heart of the CEOs as we all know. And re regulators are catching up now. We see the FDA in America regarding cybersecurity and medical devices. We see the ul, which is kind of the TIFF for China and and the usa. And we see the N E C regulations like R 1 55, R 1 56, cybersecurity and automotive development, secure update mechanisms.

When you deploy a new ECU software, but also in payment industry like PCI dss, the new standards simply demand your development processes to also govern the aspect of cybersecurity and vulnerability testing. At the end of the day, the punchline of this is total product lifecycle. They want you to not only build something that works as something that you can use function wise, but they want you to take care of the lifecycle once the product is in the market.

We all know that from if you have a Tesla, you get an update or I guess even other car brands get updates over the air, but also your smartphone, you get your regular updates. But of course this does not lead to a monetary benefit for the companies who are producing these devices because if you drop your phone on the floor right now and it's broken and you buy a new one this evening in an electronic store, there's more revenue to the company that is producing these things than if they have to push out updates for two years and forward.

So this is why it's not something that everybody wants to do just because it's mandated. So it all boils down to a growing need for data governance. And some of the regulations that you will find around the world are not even yet finished or binding.

However, it can go pretty fast. My colleagues sitting in the back an eye, we just came across a regulation regarding cybersecurity and medical devices. And maybe you remember until March, it was simply a draft state and on the 49 pages of the PDF you could read the it's, it's just draft, it's not for implementation, it's not finalized. And then at the end of March, they simply said, yeah, well you need to take care of it until October this year. So that can be quite fast if you look at a large scale company that is producing medical devices.

So I have three perspectives for you as sharing our experience from working in different fields like medical devices, automotive, and so on. And I guess the first ex perspective, which is really important, is the perspective of the developers because those are the ones that are taking care of the software inside the devices and need to make sure that everything that we've been just talking about is in those device and is working. And GDPR five years in, I guess everybody has lived through it or at least knows what it's all about.

But h a CCP is always a very good example that not everybody knows it's the HU by design regulation, if you want to call it like that. It's about the safety of handling and processing foods in food and beverage industry or in your restaurant or in your burger joint.

And the, the best picture for it is remember how burger joints used to operate in the nineties. There were burgers sitting on a hot plate waiting for somebody to come in and buy them. Now everything is made to measure just in time, just in sequence to keep it fresh. And HCP is all about processing, not leaving stuff on a hot plate so that it builds up bacteria about cleaning processes to make sure that nobody cleans the toilet with the same cloth as the kitchen.

So this is something that we appreciate and that has totally come to our world and it's not too far-fetched regarding the technology world because ingredient lists, the magic word about it is SBO software bill of materials is now the new craze, maybe bill of materials. You've heard about it or came across it already when you go to IKEA and buy a furniture set and there is a pecking list with all the items. This is a bill of materials.

And now what those regulations, more or less, not all of course, in the same fashion mandate is that you are in the know about every aspect of the software and hardware in your products, all open source software, off the shelf, softwares all, all, all the components that are in there and take care of vulnerabilities, updating, versioning, and also disclosing them on demand. So of course not everybo, every company is able to do that.

However, this is now mandated and needs to be done and is one of the, yeah, I guess biggest challenges now for the developers and it will lead in the next, let's say, iteration in the next years. Something that is already in development will be cybersecurity labeling. And the best example for cybersecurity labeling is the two pictures that you can see right here. We are all familiar with food labels and ingredients lists of course, because maybe you are allergic to nuts or cheese. So you want to know whether something is in the product that you buy at the grocery store or not.

And if you take a Samsung Galaxy phone box or maybe an iPhone phone box at the electronic store is, is there a label on it telling you that Facebook is pre-installed? No, it's not. This is only a consumer example, but medical devices will need to be labeled regarding the software and the potential of cybersecurity attacks to maybe happen in the future. So sprm is just a first step. And the second approach is the perspective.

If you are working in compliance, just like me intended in unintended use, of course generally nothing goes wrong if every, everybody is using a device the way it is intended to. But most of the time stuff goes wrong. If a hacker or somebody who is maybe simply not knowledgeable about using something right, uses it the wrong way. This is why microwaves in the United States have labeled, please don't put your animal in there when you're coming from a walk and it's wet because it will die.

Or you have a plastic bag that you get and there is a label on it, please don't give it to your child because it might suffocate himself. This is unintended use. And to find out about the dangers of unintended use, those regulations mandate you to conduct penetration testing. We've just completed a project with a medical device manufacturer and it's a variable device that you dispose after a few days. And of course this device contains a chip. So Bennett pet testers took this device, took it apart, looked at the chip, found out it has a vulnerability.

Two days later they extracted all the medical data. So now why did this happen? Because the development team did not care about the versioning of the chip.

Of course, more than two years ago, the developer of the chip, some kind of company that is producing CHIP for the mass market, gave out a revision that is not vulnerable anymore. But the developers at the company we working with did not know. So now they have a lot of products in store, but they cannot sell it in the US because they know about this vulnerability that they cannot patch because it's a hardware vulnerability. So this of course leverages the TCO of smart products and leads to a backlash and responsibility if you don't know about it.

So those regulations make sense, especially if you are talking about medical devices, which is of course not a game if something happens. I don't know if you came across the hacked insulin pumps. So hackers found out that you can like override insulin pumps and I don't know if it's so funny if somebody via Bluetooth killed somebody, you know by simply overriding the insulin pump and then maybe somebody will get in a critical condition. So that's the second perspective.

And the third one is quite short, but a lot of iPhones will now come out and take a picture of it because I believe that this is what business will pivot around in the scenario that I'm talking about. You will need to decide whether you are focusing on leading edge devices that are featured and privacy driven, maybe not too cheap, but are leading edge as I just said. Or maybe even go to a niche market where you sell a device like maybe a blood pressure monitor that is not connected to something just has a monochrome display that is cheaper but is of course super cyber resilient.

There will always be a market for cheap devices that simply do their job. So this is what the world will pivot around all the time. I guess it applies to a lot, but it also applies here. So what are the recommendations that we of course have worked through and are giving to our customers when we are talking to those three different dimensions? The first one would be threat modeling. At the end of the day, it's all about risk. All regulations and all certificate want you to know the risk. So this is why we are talking about penetrator testing, vulnerability scanning and so on.

And you need to know where your threats come from because your risk managers will need to know as they have to decide which risks can you remediate and which are risks that you simply have to live with because it's residual risk that you cannot get rid of, you cannot put risk to zero. It's impossible.

And it will also be your task and it will be a little bit hard to have everybody understand that not only functionality but security needs to be at the same level because otherwise the functionality only helps you on sales, but it will not help you if there is a problem with the devices that you have in the market that you now need to take care on the until the end of their life cycle and to better understand unintended use and what really goes wrong with all kinds of devices. I will never forget the four years I worked together with somebody who was a paramedic in his free time.

He said he could never have imagined how much he would learn about people using things and what can go wrong, but when being a paramedic. So talk to people that really are in the field when things go wrong and are in those situations. They know a lot of, of a lot about how stupid or maybe s cumbersome situations can work out. And the second one is the compliance manager or executive perspective. You should always ask yourself a little bit of history about the regulation that is brought up and that you are tested against.

Study him the history and and the market, the mission, and try to get a notion of the impact of the threats from your developers. You see, oh, will want to know what the impact of a threat is. Residual risk that you cannot get rid of will have an impact on your business and it will be your job to dehydrate it for him so that he understands it. And one thing that I'm always astounded about is like how much hour long material you can find on those really special special topics on YouTube. Hours of conferences, on people explaining regulations that nobody understands. I really love it.

And if you're a business person or sales manager, if you're a CEO or C level or a person, total product life cycle and cost is the new thing where everybody is cautious about and maybe really diversify your portfolio. Think about building also products that are not so risk biased as smart products that now need to be governed in a special way or in a more complex way. And if also possible, try to get your salespeople work with compliance and and risk people and developers. They will be better salespeople if they understand the perspective and the situation in full scope.

So in my last words will be that there is a lot on the horizon. We will have the European Green deal, the circular economy action plan that will mandate you as a company to take back old hardware to recycle. So you your, your life cycle will even get longer in a certain way and there will be the European right to repair that will give every consumer the right to repair consumer goods by himself. That also means that you will need to supply the tools, the parts, and the bill of materials for that. So that concludes my talk. Thank you very much for having me.

Thanks for any questions that you might have. Please feel free to comment and enhance my talk. And if the time now is not sufficient, I will be in the lobby, tap my shoulder, give me some feedback. I would love to hear it. Thank you very much. Donk. So I don't see, I don't see any questions in the queue online, but I have, I have a couple comments that'd be well just information and a comment. I'm wondering if you'd care to respond to. Yes.

One is I I parti, I'm in the i e e and we produced a standard last year, P 7,002 data privacy process, which is how to integrate privacy into your software development life cycle. So P 7,002 come talk to me about that.

Well, here, okay, I, I didn't know it, but I know that I'm getting so many updates about upcoming standards from i e that I really can't afford. So ain't that the truth. And the other thing I want you to comment on in this space, and because you brought up cars that made me think of this, how many have you seen ads for products or services that say GDPR compliant right now? I used to work for a regulator so I understand what is, is there a polite word in German for, for, for calling BS on that?

Yeah, It's, it's, it's good marketing. Now here's my point because in cars, nobody markets cars and says this car is highway traffic act compliant. There's rules about construction that you can be compliant with. But if you get a stupid driver and he drives it at 80 miles an hour and breaks the highway traffic act, that's on him and it's not on the manufacturer and the GDPR is the same thing. So how do we make that journey to help the developers and others that are doing secure development to make sure that they don't over-promise and, and set customers free to do really stupid things.

My perception is that customers are more intelligent than some companies think. If you give people better instructions and, and more information about what the limits of technology are, I guess a lot of autopilot situations on YouTube would have never been uploaded. So you know what I mean?

If, if you give people and and really take them for serious and tell them that this is a dangerous act, then maybe they are more aware of it. That's what I believe. Let's cross our fingers. Are there any, are there any questions in the audience? Anybody wanna, we have time for one short, maybe two short questions if there's any questions in the audience? Nope. Seeing nothing. Thank you very much. Thank you very much. Thanks for having me. Thank you Shin. Have a good time. Thank you. Bye-Bye.