Make software security measurable, comparable and transparent
Test and certify network-connectable products and systems within the “Internet of Things”
There is a proliferation of security claims, best practices, and emerging standards, but lack of a widely adopted industry standard and compliance program. What the industry needs now is a basis of measurement that can serve to provide all stakeholders with assurance that due diligence regarding product and system security has been performed.
Customers worldwide are asking UL to help support their organizations bring safer and more secure products and systems to market. Purchasers would like to address security in their supply chain by having an independent trusted third party, like UL, perform assessments on products and systems, and on the vendors that manufacture, install, operate and maintain those products and systems.
The UL Cybersecurity Assurance Program (CAP) brings transparency to product and system security. CAP is based on industry initiatives, regulations, standards, and best practices, and brings elements of these together into one reliable testing and certification program.
UL utilizes CAP as the primary framework for our product and system security services. CAP certification verifies compliance to requirements validating that a product or system offers a reasonable level of protection against risks that may result in unintended or unauthorized access, change or disruption.
Such access, change or disruption could alternatively result in changes to functionality, performance failure, breaches of the confidentiality, integrity and/or availability of the data stored in or generated by the product or system, or the attacker using a compromised product or system to gain entry into any network or system to which the product is connected.
UL CAP also verifies that the vendor of a certified product or system maintains reasonably mature processes for the development and maintenance of the software. This verification is to validate that future patches, updates or new versions of the software of a certified product or system will not result in a lower level of protection when compared to the product at the time of evaluation.
The UL CAP assessment is based on the requirements in the UL 2900 Standard. Certification brings end users increased confidence in the security and ROI of the products and systems that they use. UL CAP also supports manufacturers’ and vendors’ drive to excellence and provides an efficient and cost-effective way to positively differentiate products in the global marketplace.
Product or System Assessment
Verify and validate the absence of known vulnerabilities, weaknesses, and known malware in products and the effective implementation of security controls
Attackers regularly employ well-known vulnerabilities to steal private data and gain control over critical systems. In a 2014 study, HP revealed that 70% of Internet of Things devices have known vulnerabilities. UL’s vulnerability analysis helps to effectively reduce security risks posed by software vulnerabilities.
Coding flaws, defects, and bugs are a main cause for easily exploitable software vulnerabilities. By identifying and exposing vulnerabilities, especially during development, this can significantly reduce or eliminate security risks in products’ and systems’ software, ideally before deployment.
CAP certified products or systems are well-positioned to thwart attempts to change a product’s or system’s functionality, access the data that a product or system collects, processes or stores, or utilize a flaw in the product or system to gain entry that anywhere that product or system is connected to.
The Product or System Assessment involves testing, including:
- Fuzz or robustness testing of products to identify zero day vulnerabilities over all interfaces. Robustness testing aims to test the product’s resilience against unexpected or malformed input.
- Scanning the product’s software executables and libraries for known vulnerabilities and exposures, using the Common Vulnerability Enumerations (CVE).
- Identification of known malware on products.
- Static source code analysis for software weaknesses identified by Common Weakness Enumerations (CWE).
- Static binary analysis for software weaknesses identified by Common Weakness Enumerations (CWE), open source software and third party libraries.
- Structured penetration testing based on flaws identified in other tests.
A product’s software may be technically well-secured – secure code, patched against known exploits, etc. – but without the correct implementation of applicable security controls, the product is still vulnerable to cyber-attacks.
Therefore, and in addition, a Product or System Assessment verifies a product’s software is in compliance with required security controls. These security controls may include but not be limited to role-based access control, secure data storage, cryptography, key management, authentication, integrity and confidentiality of all data received and transmitted.
The UL 2900 Standard contains minimum requirements on each of these controls. The Standard contains requirements for the vendor or manufacturer to design the security controls in such a way that they demonstrably satisfy the security needs of the product. Also, the Standard describes testing and verification requirements for collecting evidence that the designed security controls are implemented.