7 Embedded Firmware Security Questions That Risk Managers Should Be Asking


February 15, 2017

The security (and insecurity) of embedded firmware devices is coming to light. Risk managers and other stakeholders are considering the best ways to address expanding and evolving security issues and craft solutions. Yet, these uncharted waters are leaving many unsure of how and where to start.

Based on experience, here are 7 Embedded Firmware Security Questions Risk Managers Should Be Asking:

  1. Have secure coding practices been used to build this device?
  2. Has/have the compiled firmware image/images been tested for vulnerabilities?
  3. Has a process for updating the firmware been defined?
  4. What are the possible threat environments for the device?
  5. Who's at risk should an attack occur on the device?
  6. Who's at risk should an attack occur using the device as a attack vector?
  7. Is there published information about using this type of device in attacks and, if so, what can be learned from the past?

Knowing the questions is half the battle.