Do not just patch vulnerabilities - use the defender's advantage

Already in 1998, Gary McGraw wrote "Testing for Security During Development: Why we should scrap penetrate-and-patch" (IEEE Aerospace and Electronic Systems Magazine, vol. 13, no. 4). Unfortunately, the message is still valid. We should not just chase vulnerabilities and then fix them but use secure engineering and robust techniques to avoid them. If we only take action when a vulnerability is found, fixing it is expensive. This exposes to incidents if the vulnerable product is already out. As attackers only need to find one vulnerability, we, the defenders, seem to be doomed to lose.

However, we have the advantage. We can choose the technologies we use, and we understand what we have built. We should choose well-known secure components,  protocols, and algorithms. Implementation should be done with memory-safe languages (e.g., Rust, Go, Java), and we should use secure practices in our chosen framework. The attack surface should be minimized. Security testing should check that our plans hold. Vulnerability scanning should also be done but as supportive quality assurance. Indeed, security regulations and standards such as the Cyber Resilience Act (CRA) and IEC 62443 require testing beyond scanning for vulnerabilities.

At Test of Things, we support our customers in making secure design and implementation choices for IoT. We built automated testing, which asserts that the planned security controls are present and that the attack surface remains minimal while also checking for vulnerabilities. Our solution is technology and language-agnostic; no matter your choice, we have you covered. We help defenders maintain their advantage over attackers, ensuring a high level of security and compliance with relevant regulations.