Considerations for purchasing IoT vulnerability management solutions

The category of IoT product security platforms is relatively new. The solutions are also referred to as: “firmware analysis”, “OT/IoT software supply chain security”, “automated security for embedded systems”, “networked device vulnerability assessment”, “reverse engineering/digital twin” or “automated security and compliance for digital products”. The solutions differ significantly in what they can ingest, analyze and output.

While some vendors also try to address the market for OT operators, all vendors target developers of IoT products, e.g., manufacturers of sensors and electronic control systems.

Which requirements which are not exactly obvious could be relevant?

  • What is actually needed for a secure engineering process? E.g.:
    • Creation of a Software Bill of Materials (SBOM) for the firmware?
    • Software license management?
    • Static/dynamic testing of non-compiled source code?Checking third-party/open-source software for security vulnerabilities using SBOMs?
    • Checking binaries for security vulnerabilities?
  • Is an on-premise solution possible or what data is sent where for analysis?
  • What standard integrations are in place, e.g. with the currently used CI/CD toolchain or application lifecycle management software? What can be implemented via a REST API, and how much effort would have to be invested to implement and maintain the interface?
  • By checking usability on processor architecture, file systems, or other relevant aspects, will results that are false positive be filtered out? This can make a huge difference in the workload of the development team. If yes, what architectures are supported?
  • Which threat data feeds are used to detect vulnerabilities? Only CVE/NVD or also proprietary or custom databases?
  • Are specialist services offered, e.g. security assessments and pentests if required? This can be helpful to resolve issues more quickly or to increase the capacity of the internal engineering team when bottlenecks occur.

Who are the typical providers?

Depending on the actual requirements, the following vendors might be suitable: Aqua Security, aDolus, Cybellum, Finite State, Firmalyzer, JFrog, Moabi, Netrise, OneKey (formerly IoT Inspector) or Synopsys Black Duck, etc.

What are the typical costs that should be budgeted?

Pricing models vary significantly among some vendors, depending on the number of scans or number of projects/products. This typically leads to the question where to draw the line between a product derivative/update and a new product (according to our information, a general guideline could be 20% changes in the source code or sometimes even changed compiler settings). Other vendors charge annual license fees that include an unlimited number of scans to support good practices in development (i.e., regular vulnerability scans).

This means that, on the one hand, realistic scenarios for actual use are required. On the other hand, a careful comparison of provider options and solutions can offer significant savings potential for similar functions.

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.