A few weeks ago, I had the opportunity to speak at SecTor on a topic that I’ve been interested in bringing attention to for a while, the shifting IoT market. You can view the entire presentation online; however, I was asked if the checklist that I present was available via any other means.

The following is the IoT Purchasing Checklist that I provided as part of my presentation and my reasoning for the inclusion of various items.

Before You Buy

• Is the manufacturer reliable? Will they remain in business for the lifetime of the product?
  • If you need a product to be deployed for the next 5-10 years, you aren’t helping yourself if you buy into a company that will be gone in 12 months.
• Is the product the first of its kind or is it competitive with other product offerings?
  • One of the major tenets of my theory is that companies will sacrifice in other areas in order to be first to market. One of the places where sacrifices are more typically made is product security.
• How frequently does the vendor publish updates?
  • If a product has been available for several years and no updates have been published, you may want to question if the vendor actually maintains their products.
• Does the firmware auto-update or require manual intervention?
  • While you may want the control of manual updates for certain mission-critical devices, other devices may be deployed in such a way that manual updates are impossible. It is important to know how much control you’ll have over the software version you are running.
• Are there reported vulnerabilities in the product?
  • If the vendor maintains documentation around vulnerabilities, that should not be considered a negative. No product is completely secure; it’s important to see that a vendor acknowledges and reacts (Read more...)