As Home Assistant both supports more home security components such as door locks and alarm system, and grows more of its own security features such as user accounts and SSL support, both the chances of mis-configuration and the impact of configuration errors increase. The addition of cloud connectivity makes the risk even greater.
It seems to me that it might make sense to add a new “security self-monitoring” component which periodically runs various checks and warns the user if there are any known issues with the configuration.
While this would only be able to scan for easily tested errors it would still be useful for several classes of issue. These would include remediating issues caused by bugs that have now been patched, issues caused by migrating from old versions that can’t be fixed in an automated manner, failure to observe known good practices in configuration and even things like checking for dreadfully weak passwords. The component could be structured to make it easy to add new rules as time goes by and any time a security issue in HA gets discovered and fixed, a rule could be added to ensure that when people upgrade there is no hangover from the old bug.
By way of a specific example, this bug was just fixed to stop authentication credentials from being stored in a globally-readable manner. The fix to the storage system only fixes the problem on new systems; if the bug was triggered in the past then your old files still have the wrong permissions. Checking for this and warning the user would be trivial to do, if only we have a component into which to put that check.
Given that a big part of the future of HA is in being connected to the cloud and the outside world we should be thinking about how to keep HA secure at a systemic level, on an on-going basis, and we need to do so sooner rather than later.