Security in the modern world

Security is no longer optional. It is not a “nice to have.” It is not a premium feature. It is a requirement.

There are many factors that play a role in the overall security of the ecosystem: people, procedures, tools, and software – all of these make up the system. My role is to be security-aware engineer and to create software that does not put anything or anyone at risk.

Ensuring the security

Security by design

Most areas of modern security, especially cryptography, start with cryptographic material stored on the device. This material needs to be stored securely, and this must be considered when designing the device. Even in the cloud, some things cannot be encrypted after they are created – and even there, cryptographic keys play a major role in overall security.

It is much easier to develop secure products when security is taken into account during the design phase, so the device can be properly prepared. This includes considering what is created, generated, loaded, or encrypted in the factory, how the device is locked, and how it communicates with the rest of the system.

Secure implementations

Security goes hand in hand with quality. Poor implementation creates more opportunities for threat actors, and it must be avoided. Software with bugs is not just annoying – it is usually less secure. Ensuring security during the implementation stage is easier with modern programming languages, which are designed to help avoid security issues at the code level.

Maintenance

Maintaining high security is a never-ending task. Sometimes it is about updating dependencies or cryptographic libraries, sometimes it requires re-implementing certain components.

Upgrading embedded devices always comes with a risk. This is where quality comes into play. A reliable upgrade mechanism is the foundation of a secure product.

Less dependencies means less overhead with maintenance, and this is one of the reasons why I value simplicity in software engineering.

Testing

Testing for quality is the easy part. It is relatively easy to understand compared to security testing, which requires specialized knowledge. Some aspects of security testing can be automated, but automated tests do not replace human creativity in breaking protections. This is one of the few areas where I actually recommend manual testing.