TCG member OnBoard Security, which offers a Trusted Software Stack (TSS) for the TPM 2.0, has just published a useful paper on how to evaluate software security and how to develop and maintain more secure software. The paper also includes some case studies and best practices for using the TPM.

From that paper…”The process of evaluating security software is complex for several reasons. First, the technical pros and cons of the solutions you are considering may be difficult to enumerate without advice from seasoned security experts. Your organization may not have this expertise.

The solution with the lowest initial cost may have substantially higher development and support costs over the entire product life cycle. The free open-source solution may end up costing more over time than itsPicture1 commercial counterpart.

There could be substantial liability issues if the software you choose is compromised. There have been numerous high-profile security breaches over the past several years which have been very damaging to the affected companies. New legislation, particularly the “General Data Protection Regulation” (GDPR) in Europe, greatly increases manufacturers’ and service providers’ financial exposure if a security breach exposes their customers’ private data.

Lastly, the service model for IoT requires a resilient system so that a deployed device does not require field maintenance. If an IoT system gets “bricked” by a cyberattack, fixing it may be impossible or prohibitively expensive. Strong security and recoverability can provide powerful resilience properties to a new generation of IoT devices….” Read the blog post and link to the paper here, http://blog.onboardsecurity.com/blog/setting-and-achieving-security-design-goals