Finite State | November 09, 2022
Finite State, the product security leader for connected devices, today announced it has hired Larry Pesce as its Product Security Research and Analysis Director. Pesce will serve as a senior consultant, providing expert guidance and services to product security teams worldwide, including product security program design and development, product red-teaming and penetration testing, software supply chain risk management, and vulnerability management.
Recent research from the Ponemon Institute indicates that six of every ten organizations find it increasingly difficult to quickly respond to new vulnerability disclosures that may impact their devices, a reality that becomes especially painful when zero-day vulnerabilities such as last month's OpenSSL vulnerability surface.
“Sixty percent of IT and IT security practitioners report that their organizations lack the in-house expertise to stand up a strong security posture and 62% cite a lack of resources, I'm confident that, with Larry's leadership and expertise, he will work closely with our customers to understand their needs, identify their product security gaps, and guide them toward solutions. As our Product Security Research and Analysis Director, Larry will act as an internal voice of our customers to help our product, engineering, R&D, and sales teams develop and deliver the solutions that our customers need right now."
Matt Wyckhouse, founder and CEO of Finite State
Pesce has held senior security and research positions at leading cybersecurity and IT services and consulting firms including InGuardians, Inc., and NWN Corporation. Earlier in his career, Pesce oversaw IS security at Care New England, a Rhode Island-based healthcare provider. An established cybersecurity thought leader, Pesce serves as a principal instructor and course author at the SANS Institute and has co-hosted the popular Paul's Security Weekly podcast for more than 15 years.
“Embedded device security has been a passion of mine since the early 2000s. So long ago that it was well before the dawn of what we now refer to as IoT,” said Pesce. “I’m excited to bring my expertise to Finite State to help our customers utilize effective SBOMs, provide actionable results to issues [vulnerabilities], and affect the security of the IoT software supply chain in a positive manner.”
Pesce holds several GIAC certifications, including the Global Industrial Cyber Security Professional (GICSP), the GIAC Certified Incident Handler (GCIH), and the GIAC Assessing and Auditing Wireless Networks (GAWN) credentials. Pesce earned his B.S. in Computer Information Systems from Roger Williams University.
About Finite State
Finite State empowers organizations to gain control of product security for their connected devices and supply chains. Across the software supply chain lifecycle, Finite State is the single pane of glass for customers that provides continuous visibility into product supply chain risk.
Backed by a team of seasoned experts, our automated product security platform arms our customers with the actionable insights, critical vulnerability data, and remediation guidance necessary to mitigate product risk and protect the connected attack surface.
ARC, Inc | October 17, 2022
Armaments Research Company, Inc. (ARC) and Booz Allen Hamilton (BAH) announced a partnership to demonstrate the performance of ARC’s weapons sensing data across BAH’s fifth-generation mobile technology (5G)-powered network. This project is part of BAH’s previously awarded Joint Base Lewis-McChord 5G-Enabled Extended Reality (XR) contract to maximize soldiers’ performance on and off the battlefield.
The project allows BAH to prototype and optimize Internet-of-Things (IoT) and XR capabilities with tailored military applications, ultra-low latency and scale. ARC’s AI-powered tactical weapons sensor securely collects and processes key battlefield and soldier performance data to allow ground force commanders a more complete common operating picture to aid in decision making.
When combined, these solutions empower the warfighter with curated, relevant engagement data at speed, enabling leap-ahead, machine-to-machine capability for US Defense.
“This partnership will help reveal what’s conceivable as the Army considers new approaches to gaining overmatch in future conflict. The collective creativity across the Army, BAH, and ARC teams thus far has inspired a more ambitious vision of scale for this combined solution, This project represents the forefront of a true leveling up of our nation’s military.”
ARC CEO Michael Canty
ARC technical solutions and case studies are available for individual demonstration. Interested parties are invited to visit armaments.us and contact firstname.lastname@example.org for more information.
About Armaments Research Company, Inc.:
Founded in 2016, ARC is a privately-owned, top-secret-cleared, Washington D.C.-based technology firm, led in tandem by innovative technology experts and combat-tested military veterans. ARC's original solutions were developed under DARPA and National Science Foundation sponsorship, leveraging state-of-the-art internet-of-things (IoT) and machine learning (ML) technologies to transform weapons into information nodes or ‘sensors’ and arm Commanders with advanced, real-time decision support.
ioXt | October 28, 2022
The ioXt Alliance, the global standard for IoT security, announced that its CEO, Gary Jabara, participated in a White House strategic discussion on developing an effective IoT security labeling program. The event included senior representatives from IoT device manufacturers, industry associations, standards bodies and U.S. government agencies, and was held on October 19, 2022. The IoT security labeling event was among the initiatives supporting the May 2021 executive order 14028 on improving the nation's cybersecurity.
The IoT security labeling event had four goals:
Harness market forces to accelerate the development of IoT security labeling programs to raise the level of cybersecurity across the entire IoT ecosystem.
Incentivize the ability of manufacturers and retailers to incorporate baseline and more advanced cybersecurity functionality in products.
Reduce unnecessary barriers to trade by harmonizing international labeling programs.
Identify the oversight and regulatory mechanisms necessary to ensure that IoT products meet or exceed security baselines.
Insights from the event will serve as a platform to communicate the U.S. government’s commitment to IoT security, announce initial actions it is taking and articulate a work plan for achieving the vision.
“It was an honor to participate in this meeting and help define a robust labeling system for IoT security that will mitigate security risk for businesses and consumers, harmonize a fragmented ecosystem and improve national security, As the global standard for IoT security, ioXt is very pleased to be intimately involved and offer its insights to support this very important initiative. We will continue to work with regulators in launching an effective labeling program across the country.”
ioXt CEO Gary Jabara
The lack of market transparency regarding IoT security makes it difficult for buyers to make informed choices, which has led to a proliferation of insecure devices in American households and businesses. Both cybercriminals and hostile nation-state actors have increasingly exploited this growing attack surface to conduct surveillance and launch cyber-attacks, presenting a national security concern. By providing consumers with the ability to evaluate IoT products based on their cybersecurity protections, labeling programs may dramatically improve security across the IoT ecosystem.
About the ioXt Alliance
The ioXt Alliance is the Global Standard for IoT Security. Founded by leading technology and product manufacturing firms, ioXt is the only industry led, global IoT product security and certification program in the world. Products with the ioXt SmartCert give consumers and retailers greater confidence in a highly connected world.
AMTSO | September 06, 2022
AMTSO, the cybersecurity industry's testing standard community, today announced it has published its first Guidelines for Testing of IoT Security Products. Comprised of input from testers and vendors, the guidelines cover principles for the testing of IoT security products providing recommendations on test environment, sample selection, testing of specific security functionality, and performance benchmarking for testers.
The guidelines include the following sections:
General principles: All tests and benchmarks should focus on validating the end result and performance of protection delivered, instead of how the product functions on the backend.
Sample selection: The guidelines provide guidance for challenges with choosing the right samples for IoT security solution benchmarking. For a relevant test, testers need to select samples that are still active, and that actually target the operating systems smart devices are running on.
Determination of "detection": IoT security solutions work very differently than traditional cybersecurity products when it comes to detections and actions taken; for example, some solutions will simply detect and prevent a threat without notifying the user. The guidelines suggest to use threats with admin consoles that can be controlled by the tester or to use devices where the attack will be visible if conducted.
Test environment: In an ideal case, all tests and benchmarks would be executed in a controllable environment using real devices. However, the setup can be complex, and if the tester decides against using real devices in the testing environment, it is advised that they should validate their approach by running their desired scenario with the security functionality of the security device disabled and checking the attack execution and success.
Testing of specific security functionality: The guidelines embrace advice on different attack stages, including reconnaissance, initial access, and execution. They outline the possibility to test each stage individually vs. going through the whole attack at the same time. Choices on this should be documented in the testing methodology.
Performance benchmarking: The guidelines also provide considerations on performance benchmarking, e.g. suggesting to differentiate between various use cases such as consumers vs. businesses, or the criticality of latency or reduced throughput per protocol, which depends on its purpose.
The guidelines were approved by the AMTSO membership in June 2022.
AMTSO is the cybersecurity industry's testing standard community, consisting of over 60 security and testing member companies from around the world. The organization offers a platform for knowledge-sharing and collaboration on objective standards and best practices for anti-malware testing and assessment of other cybersecurity products. The AMTSO standard raises the bar for cybersecurity tests, contributing to more fairness in the industry, and creating transparency for consumers and businesses looking for the best digital protection.