IPVMU Certified | 01/07/15 03:56pm
Below is an interesting video that may have been posted here before about security exploits found in some camera brands.
Black Hat 2013 - Exploiting Network Surveillance Cameras Like a Hollywood Hacker
However, exploits can be possible in any product (or service for that matter) involving software/firmware. In the video above, the speaker gives the impression that the exploits in the products he tested had very basic, almost amateur problems in the way their programming was written.
Writing software programs is a very specialized, complex and tedious task. Unless you are an experienced programmer yourself, you cannot easily see how well a program is written, and that’s only if you are trained and experienced in the same programming language you are looking at. And as evidenced by the video, it can be easy to make a program functional, even if it is not secure, so to a company manager or executive the product looks like it operates fine and is ready for market, but might not have any idea how to verify their programming team (or vendor) did a good job making it secure beyond “does it require a password or not”.
As a manufacturer, are there any procedures or processes you use to make sure the programmers who write your software (desktop, firmware, or otherwise) is not only free of bugs, but also free of vulnerabilities? Do you submit the code to a 3rd party to review and certify? Do you feel if you did that, you would be somehow be insulting your in-house programming team, by saying you don’t trust them? Does 3rd party review and certification just cost too much, or is it not really thought of?