Attackers rarely need new tricks; they just keep exploiting the same old ones.

You’ll hear how attackers chain together small flaws (default credentials, exposed interfaces, broken cryptography, and insecure configurations) to achieve full compromise. This virtual session goes beyond the data to focus on what security leaders can actually do: how to raise the baseline of product security, embed testing into design, and prevent the everyday vulnerabilities that attackers rely on.

What You’ll Learn:

• What two years of real-world product testing revealed about today’s most common vulnerabilities
• Why “medium” and “low” issues still lead to critical business impact through attack chaining
• How regulatory pressure, product lifecycle, and market speed influence security maturity by industry
• Concrete actions organizations can take to eliminate systemic weaknesses and strengthen resilience

Who Should Attend:

CISOs, product security leaders, engineering managers, and anyone responsible for securing connected products or embedded systems.

Session Summary:

Bishop Fox’s Matt Twells shares two years of hands-on product security testing across healthcare, industrial/OT, consumer IoT, and financial systems. The central finding: attackers rarely need novel exploits—they reliably chain “boring” weaknesses (default creds, exposed/debug interfaces, weak/absent auth, broken crypto, insecure configs) into full compromises. Severity labels can be misleading; many medium/low issues combine into high-impact “higher-order” breaches. Industry posture tracks incentives: strong regulation (e.g., FDA) correlates with fewer critical, while legacy tech and weak defaults drive critical in industrial/OT, and a race-to-market with little oversight leaves consumer IoT broadly exposed. The talk closes with concrete steps: threat model early and often, prioritize authentication and interface exposure, continuously validate, and pick focused, high-impact fixes instead of chasing perfection.

Key Takeaways:

1. Old tricks still win: Most real compromises came from chaining basics—default passwords, exposed/debug ports, weak auth, and insecure configs—rather than exotic 0-days.
2. Severity is not impact: ~“Medium” and “Low” findings frequently combine into higher-order compromises (e.g., default admin + session issues + missing access controls ⇒ admin takeover).
3. Auth is the fulcrum: When authentication/authorization falls, products often have little internal defense; fixing auth/paywall gaps is the highest-ROI control.
4. Exposed interfaces are everywhere: Unnecessary APIs, debug ports, and services left enabled in production meaningfully expand attack surface.
5. Crypto fails by implementation, not math: Breaks typically come from misuse of standard libraries/protocols or insecure transport—not from “cracking” strong algorithms.
6. Industry incentives shape risk:

   • Healthcare: Strong FDA pressure drives lifecycle security and keeps most issues to Low/Medium.

   • Industrial/OT: Highest rate of critical due to legacy systems, weak/absent auth, and assumptions that physical access equals trust.

   • Consumer IoT: Broad systemic weakness from minimal regulation and speed-to-market; widespread reuse of vulnerable components magnifies impact.

7. Talent & legacy strain: Aging tech stacks (PLCs, COBOL, old firmware) plus scarce specialists hinder patching and secure maintenance.

8. Business impact > brand only: Operational outages, safety risks (e.g., altered machine job files), and regulatory/legal exposure often outweigh reputational harm.

9. Supply-chain multiplier: A flaw in a common chip, library, or cloud dependency can propagate across millions of devices and vendors.

10. Do the simple things, relentlessly: Threat model early, remove defaults/ensure per-device creds, lock down interfaces, and test continuously; favor targeted, high-impact fixes over trying to “fix everything.”

Learn more about Product Security Reviews with our new Product Security Reviews: The Basics Are Still the Breach report.