Recently we received a request to test a couple of consumer devices -- the vendor wants us to try and root the device and gain access to protected applications and data. A common worry for the security-conscious company.
The trouble is most manufacturers of consumer devices are not security-conscious. Several years ago, we had a project in which we tested a consumer device that, in its previous versions, had no connectivity; however, in this to-be-released version, the device was including Internet connectivity for the first time. In fact, not just point-to-point collaboration but full unlimited browsing -- this ~$100 device was suddenly a full-featured netbook.
Here's where the problem came in -- the embedded/on-device code was rock solid but the AJAX and web-connect code was terrible... really awful. Security holes so large, we could drive the proverbial truck through them.
This is an all-too-typical case of smart engineers (or managers) thinking those "smarts" can transfer to a new medium w/o any new education or training .... it doesn't.
This is a topic about which I wrote quite a bit ~5 years ago. It's old news now; however, the same story repeats itself over and over. New medium, same problem.
This most recent request to test a consumer device for security issues brought me back the story I just recounted above. But this time things are different. The company isn't just sending their device through a 3rd party security audit to meet a compliance checklist -- they are serious about protecting the IP on that device and are aware of the connectivity the device provides (and all the risk that comes with it.) This company is to be applauded for their proactive security stance -- they are one of the few who view security as an investment to be justified and cost-minimized, as opposed to an integral part of their business plan to be executed with precision, dilligence, and excellence. This is a company who now realizes that security is a business enabler (or disabler if mis-treated during product design and development.)