Fighting Crime with SE Android

Fighting Crime with SE Android

By Paul Parkinson Last week, I read a BBC News story (Met Police technology 'ineffective and outdated') about how the Metropolitan Police force in London, UK was being hampered in its fight against crime by out of date technologies. The news story discussed the London Assembly report (PDF) which highlighted the fact that most police officers had smart phones and tablets which they…

Operating System Hardening Techniques and Security Strategies

By AJ Shipley In my last blog post, I focused on securing the device at a high level, and in this post, I’d like to dive a bit deeper into the technical aspects of device security; specifically, regarding defense against “run time,” or operational vulnerabilities, that a system is exposed to after it has booted up.  A defense in depth…

Securing Critical Infrastructure with MILS

By Paul Chen On February 12, the White House released the Presidential Policy Directive 21 (PPD-21), Critical Infrastructure Security and Resilience. The DHS website describes PPD-21 as “advancing a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure.” Sixteen different critical infrastructure sectors are identified, including: Chemical, Communications, Energy, Financial Services, Healthcare and Public Health, Food and…

Let’s Talk About Securing the Device

By AJ Shipley In my previous blog post, I touched on the key variables influencing how we approach device security.  In this blog post, I’ll focus the discussion on securing the device.  Before I do, I want to touch briefly on what was a key take away for me from last month’s RSA conference in San Francisco.  This year, the…

The CWE/SANS Top 25 Most Dangerous Software Errors: What it means for embedded developers

By Bill Graham The CWE/Sans Top 25 is fairly well known among security experts but might be overlooked by embedded developers since the list covers all types of systems and programming languages. Developers are fully aware of the quality impacts of many of these errors however they may be less knowledgeable of the security implications. The classic example is the buffer…

Top Five Variables Influencing the Approach to Device Security

By AJ Shipley In my previous blog post, I covered the importance of having security built in and not bolted on.  In this blog post, I’ll outline the top five key variables that are influencing how we approach device security -- a topic particularly top of mind as I spend this week at the RSA Conference. 1. Connectivity to the enterprise…

Security Must be Built In…Or Else

By AJ Shipley Security cannot be bolted on, it must be built in.  This statement proves to be especially true when considering the recent hack of the New York Times, where during a four-month long cyberattack by Chinese hackers, the company's antivirus system from Symantec missed 44 of the 45 pieces of malware installed by attackers on the network.  Cases like this…

The Role of Tools in Improving Embedded Software Security / Part 3: Mapping the Tools to Activities

By Bill Graham In the previous posts in this series, Part 1: Automation is the Key and Part 2: Security Improvement and the Software Development Lifecycle, I talked about the connection between the typical embedded device development process and the 5+1 improvement framework for embedded security.  Figure 1 is an illustration of this connection (and discussed in more detail in…

Medical Device Security

By Jeff Fortin A recent study published by GAO caused quite a bit of uproar over medical device security. The GAO declared in its report [read more] that the FDA has not put enough oversight in the premarket approval (PMA) of certain medical devices that are susceptible to threats. In the report the GEO referred to an experiment described in…

First Line of Defense

By Ka Kay Achacoso Designing security into a device requires an understanding of the nature of the attacker.  The cost of security implementation, including  acquiring the technology carrying out the processes, scales up with attacker sophistication.  A rule of thumb is to make the device tampering cost higher than the benefits gained from a security breach.    Wind River’s VxWorks…