Skip to content

Device Security

Introduction

Product-security expectations are increasingly shaped by regulations, industry standards, customer requirements, and market expectations. Across these frameworks, two common principles are secure by design and secure by default. Security should be considered from the earliest stages of product development, and devices should be delivered with secure configurations out of the box, without requiring additional user intervention.

In practice, products often need to address risks such as unauthorized access, data exposure, software vulnerabilities, and insecure update mechanisms. Security is not a single feature but a combination of coordinated capabilities across hardware, software, provisioning, and lifecycle management.

This page provides a structured overview of key device-security areas aligned with these principles. It is intended as a planning guide to help identify relevant security topics and prepare for implementation based on your selected platform and release.

Info

SD recovery cards are provided with Variscite platforms to enable early hardware evaluation and rapid prototyping. These images are intentionally delivered in an open configuration to simplify development and bring-up.

As a result, they are not secure by design or secure by default and do not reflect the security posture of a finished product. Customers are responsible for selecting, implementing, and validating the security features needed for their product development and production process.

Customer Responsibility and Security Decisions

Customers are responsible for determining which security measures fit their product, based on their own use case, risk assessment, and applicable requirements. This page outlines available capabilities and typical implementation considerations, but it does not prescribe a specific security configuration or determine which features apply to a specific product.

For many products, this work typically includes:

  • Selecting the security features and controls appropriate for the product.
  • Enabling and integrating those features in the final software.
  • Managing keys, secrets, and related manufacturing or provisioning steps.
  • Defining how security features are operated and maintained over the product lifecycle.

Security Topics to Plan For

Protection Against Unauthorized Access and Misuse

Device-security planning commonly includes controls to prevent unauthorized access to interfaces, services, and data. This includes controlling access to system functions, restricting debug capabilities, and enforcing proper authentication and authorization mechanisms.

Example planning questions include:

  • Which interfaces (network, physical, debug) must be protected?
  • How are users, services, or systems authenticated?
  • How are permissions and access rights enforced?
  • How are unused interfaces disabled or restricted?

Data Protection and Data Integrity on the Device

Product designs often need to account for protection against unauthorized access and tampering, both at rest and during operation. This includes safeguarding cryptographic material, device identity, and application data.

Example planning questions include:

  • Which data requires confidentiality and/or integrity protection?
  • How is sensitive data stored securely on the device?
  • How is data integrity verified during boot and runtime?
  • How are cryptographic keys protected?

Minimizing the Attack Surface

Reducing the attack surface limits the opportunities for exploitation. This includes removing unnecessary components, disabling unused services, and minimizing exposed interfaces.

Example planning questions include:

  • Which services and packages are strictly required?
  • Which interfaces can be disabled or restricted?
  • How is the system hardened against common attack vectors?
  • How are default configurations secured?

Secure Updates and Lifecycle Security

Long-term product maintenance often includes secure software updates and lifecycle security planning. This includes ensuring authenticity and integrity of updates, as well as defining processes for maintenance and end-of-life.

Example planning questions include:

  • How does the system ensure that only authenticated software runs on the device?
  • How are software updates authenticated and verified?
  • How are updates delivered securely, such as over-the-air (OTA) updates?
  • What is the rollback or recovery strategy?
  • How is long-term maintenance handled?

Vulnerability Management and Incident Response

Product security planning commonly includes processes to identify, manage, and remediate vulnerabilities over time. This includes monitoring for new issues and providing timely fixes.

Example planning questions include:

  • How are vulnerabilities tracked and assessed?
  • How are fixes developed and delivered to devices?
  • How are security incidents handled?

Logging, Monitoring, and Auditability

Logging and monitoring capabilities help detect misuse, support incident response, and provide traceability for security-relevant events.

Example planning questions include:

  • Which security-relevant events must be logged?
  • How are logs protected against tampering?
  • How are logs accessed and analyzed?
  • Are remote monitoring or alerting mechanisms required?