In this session, we take a practical look at embedded cybersecurity for developers and product teams building connected devices and trying to make sense of the security landscape. We walk through the major regulations and expectations that shape connected-device security today and which ones actually apply to you, such as the FDA’s guidance, the EU’s Cyber Resilience Act (CRA), and the U.S. Cyber Trust Mark, along with the product requirements they introduce.

We start with the first steps small teams can take to close the biggest gaps. This includes early wins like generating and using SBOMs, identifying the tasks that continue long after a device ships, and sorting out which requirements truly matter for your product. We also cover cloud-specific topics such as secure architecture, provisioning, and lifecycle planning.

We spend time looking at what real attacks actually look like, why attackers target even “unimportant” devices, and how we can evaluate and verify our own products. Along the way, we explore how to talk about risk in business terms, how to decide what “good enough” looks like, and how to identify acceptable residual risk when we ship consumer hardware. By the end, you will have a clear and practical picture of the baseline safeguards every connected-device team should put in place and how to implement them.