Oct 31, 2019
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-is-product-security-improving/)
We've been at this cybersecurity thing for a long time. Are products improving their security? A recent study says they aren't.
Check out this tweet and the ensuing discussion for the information on the study and the concerns people have about the history of poor security in consumer-grade networking products.
This episode is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Michael L. Woodson (@mlwoodson), CISO, MBTA.
Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices.
On this episode of Defense in Depth, you’ll learn:
- We focus our conversation mostly on consumer products, most notably networking, which was the focus of the relevant study.
- Some basic measurements of security such as stack guards and buffer overflow protection showed no noticeable improvement.
- Margins are so slim on consumer products that manufacturers are put in a bind. They can't overcharge and stay competitive, so they have to underdeliver, and often security protections are cut as a result.
- People accept the failures of cybersecurity products by just accepting the end user license agreement (EULA).
- Be very careful with these agreements. Often a vendor will make outrageous claims like saying they own the data.
- When we have security incidents companies are not blamed or liable.
- What type of pressure would need to be put on manufacturers to get them to improve security? Will it have to be standards, regulations, or government regulations?