Product Security for Connected Devices: How Traditional AppSec Falls Short

Cyber Senate are pleased to announce Co Sponsors Finite State, led by Lead Engineer Jason Ortiz and joined by Siemens Energy, Director, Industrial Cyber and Digital Security, Jonathan Tubbs, will be providing a dual presentation this September 29th and 30th in Celebration Florida.
Register here

Product security for connected devices (OT, IoT, IIoT, etc.) has been playing catch-up to enterprise application security, its more established cybersecurity cousin. AppSec owns an integral role in ensuring that development teams build secure web applications and APIs by integrating static, dynamic application security testing and other security practices.

Tools, based on these practices, are built for securing web applications, but they fall short when it comes to connected devices.

To secure connected products, developers and manufacturers must use tools and processes that are purpose built to analyze the complex binaries found within connected devices and embedded systems. Beyond the capabilities of traditional AppSec tooling, dedicated product security tools must run in the specialized languages, systems, and deployment cycles for these connected devices.

In this talk hosted by Finite State’s Jason Ortiz and Siemens Energy’s Jonathan Tubb, we will examine where traditional AppSec falls short in analyzing the composition of a device, detecting its vulnerabilities, assessing the severity of those vulnerabilities, prioritizing and conducting response actions. In this session, you will learn how AppSec tools can’t always see the opaque threats that live inside connected devices, generate a device-level Software Bill of Materials, and help you build a product security strategy that leads to more secure products and software supply chains.

Jason Ortiz is Lead Engineer at Finite State and has over 10 years of experience in the US Intel Community and more than five years in commercial cyber security services. In his role, Jason develops necessary interfaces between the Finite State Platform and data for use by customers and partners in their business context. Jason joined Finite State from Pondurance, a managed detection and response company, where he served most recently as a senior product engineer. Prior to joining Pondurance in 2017, Jason was a research engineer and R&D lead for Fortego, LLC. Jason began his career as a software engineer with Chiron Technology Services, Inc.

Jason is President of the Indiana InfraGard Members Alliance, a partnership between the FBI and the private sector that facilitates public-private collaboration and information sharing. Jason also serves on the Indiana Executive Council on Cybersecurity as a co-chair for economic development and a contributing member for defense. In 2020, Jason co-founded Edjro, an IoT edtech product provider that supports teachers in the classroom. He also holds a personal membership to the Indiana IoT Lab.

Jason earned a B.S. degree in computer science from Purdue University.

Jonathan Tubb
Director Industrial Cyber Security North America
Siemens Energy

Jonathan Tubb is a cyber security expert with extensive expertise and experience with developing solutions to Siemens Energy’s biggest security challenges. He specializes in identifying, mitigating and remediating threats in critical infrastructure environments. Jonathan holds a B.S. in Computer Engineering from Ohio State University and maintains a Professional Engineer (P.E.) license in Computer Engineering. He brings over 10 years of hands-on experience to his current role, as Director, Industrial Cyber and Digital Security at Siemens Energy, Inc