Guest: Shane Fry (LinkedIn)
Company: RunSafe Security
Show: Let’s Talk

Since its founding in 2018, RunSafe Security has been dedicated to protecting embedded devices from persistent memory corruption vulnerabilities that have long challenged the industry. In this episode, Shane Fry, CTO of RunSafe Security, discusses the company’s origins, its adaptable security solutions for diverse industries, the growing importance of software bill of materials (SBOMs), and strategic expansion into new markets such as QNX and the automotive and aerospace sectors. Fry says, “We’re really here to help flip the script on cyber attacks targeting critical infrastructure and help device manufacturers and asset owners deploy more secure devices.”

Founding of RunSafe Security to secure embedded devices

• Fry explains that RunSafe Security was founded in 2018 to address long-standing memory corruption vulnerabilities within embedded devices, a problem that has challenged the industry for nearly 30 years and continues to pose significant risks.
• Fry underscores the importance of securing devices in sectors such as industrial control systems and public utilities, where any compromise in device security could have serious implications for national safety and operational resilience.
• The company’s mission is to provide manufacturers and asset owners with embedded device security, reducing risks posed by cyber threats to essential infrastructure and ensuring the stability of critical systems.

Expanding security across a broad range of embedded devices

• Fry describes how RunSafe Security’s flexible solution can protect a wide array of devices, from resource-limited sensors used in field operations to robust server racks operating within data centers, offering versatile security measures.
• Fry outlines the industries they serve, including aerospace, defense, energy generation, automotive, and medical sectors, where they provide tailored protections to meet each industry’s unique security needs and regulatory demands.
• A key use case is in medical devices, where RunSafe’s technology helps safeguard life-critical devices such as Bluetooth-enabled pacemakers, which are especially vulnerable to sophisticated cyber threats.

Customizable solutions to meet industry-specific compliance requirements

• Fry highlights that RunSafe Security’s platform is adaptable, designed to meet diverse regulatory and compliance requirements across industries with high-security needs, like defense, healthcare, and energy.
• Their platform includes a SBOM feature, along with cyber protections, providing clients with comprehensive insight into software components and aiding in the management of software supply chain risks.
• Fry emphasizes the platform’s reliability and rigorous testing, which allows it to be deployed across various sectors without disrupting operations, ensuring consistent security for critical industry systems.

Integrating security features through a comprehensive, cloud-based platform

• Fry describes their platform as a cloud-based SBOM solution, primarily hosted in public cloud environments but also available in private cloud or on-premises configurations for added deployment flexibility.
• The platform integrates with source repositories to generate accurate SBOMs at build time, giving users a detailed view of the software’s components and dependencies, essential for security and compliance.
• With just a single-line code modification, customers can adopt these protections easily, making it a convenient option for device manufacturers and developers looking to embed security into their software without additional complexity.

Growing industry awareness around the use of SBOMs

• Fry discusses that industries such as healthcare already have strong SBOM awareness due to regulatory requirements from bodies like the Food and Drug Administration (FDA), which mandate transparency and security in medical device software.
• Recent government measures, such as the Biden administration’s executive order and the EU Cyber Resilience Act, are encouraging broader SBOM adoption across diverse industries and emphasizing security best practices.
• The S4 Conference highlights varying awareness levels across industries, with Fry noting that companies are at different stages in understanding and implementing SBOMs as an essential part of their security strategy.

Leveraging and contributing to open source for enhanced security

• Fry explains that RunSafe Security integrates open-source software into its products, carefully monitoring for open-source license compliance and addressing vulnerabilities to ensure robust security standards.
• Their team also contributes features and patches back to the open-source projects they use, aiming to improve the security and functionality of these community-driven projects for the benefit of all users.
• Many of RunSafe’s clients use the company’s protections specifically to secure open-source components within embedded devices, achieving the necessary functionality along with critical security protections.

Supporting broader ecosystems in cloud and edge computing

• While RunSafe Security primarily focuses on securing embedded devices, Fry emphasizes that they recognize the importance of also securing cloud and edge infrastructure that supports these devices.
• Their solution includes protections for widely-used Docker images, enabling device manufacturers and asset owners to secure applications running in containerized environments, including Kubernetes and Docker deployments.
• Fry shares their plans to expand support to additional Real-Time Operating Systems (RTOSes), such as QNX and Linux, aiming to achieve compliance with automotive and aerospace safety standards, which opens up new markets and broader applications for their technology.

Addressing embedded device security challenges and vulnerabilities

• Fry outlines specific vulnerabilities in embedded devices, which often lack user authentication and are thus more exposed to memory corruption, making them prime targets for cyber attackers aiming at critical infrastructure.
• Fry highlights the high prevalence of these vulnerabilities within industrial control systems, where even minor security flaws can jeopardize essential infrastructure, posing substantial operational and safety risks.
• Emphasizing the critical need for robust security, Fry explains that addressing these vulnerabilities is essential to prevent large-scale cyber incidents that could disrupt vital services and impact public safety.

The role of AI and generative AI in device security

• Fry explains that AI is widely applied in network monitoring to detect anomalies and unusual patterns, providing critical security insights that extend beyond the boundaries of the embedded devices themselves, where traditional methods may fall short.
• While generative AI isn’t specifically designed to pinpoint vulnerabilities within embedded software, Fry notes that it still holds value by assisting security analysts in identifying high-priority areas, effectively streamlining vulnerability analysis and response.
• Fry sees AI’s potential in embedded device security expanding as more devices gain connectivity, enabling innovative, real-time threat detection approaches that could better safeguard critical systems and infrastructure.

Recent funding and strategic growth plans for RunSafe security

• RunSafe Security’s recent Series B funding round, led by Critical Ventures, SineWave Capital, and BMW i Ventures, raised $12 million, a significant investment aimed at scaling the company’s security solutions and expanding its technical capabilities.
• This funding will drive platform enhancements, with a focus on more precise SBOM generation, advanced supply chain risk assessment, and improved data accuracy, ensuring clients receive actionable security insights with very few false positives.
• Future plans involve extending support to additional RTOSes, such as QNX, and achieving safety compliance for sectors like automotive and aerospace, opening doors to new markets while solving critical security challenges across high-risk industries.

This summary was written by Emily Nicholls.