Member Discussion

What Checks Do Manufacturers Perform To Check Their Program Code?

Below is an interesting video that may have been posted here before about security exploits found in some camera brands.

Black Hat 2013 - Exploiting Network Surveillance Cameras Like a Hollywood Hacker

However, exploits can be possible in any product (or service for that matter) involving software/firmware. In the video above, the speaker gives the impression that the exploits in the products he tested had very basic, almost amateur problems in the way their programming was written.

Writing software programs is a very specialized, complex and tedious task. Unless you are an experienced programmer yourself, you cannot easily see how well a program is written, and that’s only if you are trained and experienced in the same programming language you are looking at. And as evidenced by the video, it can be easy to make a program functional, even if it is not secure, so to a company manager or executive the product looks like it operates fine and is ready for market, but might not have any idea how to verify their programming team (or vendor) did a good job making it secure beyond “does it require a password or not”.

As a manufacturer, are there any procedures or processes you use to make sure the programmers who write your software (desktop, firmware, or otherwise) is not only free of bugs, but also free of vulnerabilities? Do you submit the code to a 3rd party to review and certify? Do you feel if you did that, you would be somehow be insulting your in-house programming team, by saying you don’t trust them? Does 3rd party review and certification just cost too much, or is it not really thought of?

"All of the above".

It's not uncommon to run standard pen tests on things as part of the overall QA process. Generally not with every minor release, but when major things have been changed/added (incorporating new services/features into the product, changing major libraries, etc.).

Honestly a lot of this is outsourced for free though. Many larger commercial customers (or, potential customers) will run their own pen tests on things as part of a POC phase. They'll come back with a report on what they think of your general security integrity. The IT security team at a large bank, insurance company, or similar is going to be a lot better at this than the scripts your QA department runs anyway.