Should there be an Underwriters Laboratories certification for software in IoT products? (Audio only)
Anita D'Amico, Joshua Corman, Kevin Greene at AppSec USA 2016
Should there be an Underwriters Laboratories certification for software in IoT products?
The US Cybersecurity National Action Plan released in February 2016 announced that the US government, specifically the Department of Homeland Security, is collaborating with the Underwriters Laboratories and industry partners to develop a Cybersecurity Assurance Program that would test and certify the security of devices that are part of the Internet of Things (IoT), such as infusion pumps and refrigerators. One of the goals is to ensure that software embedded in these devices is free of vulnerabilities that could be exploited.
UL certification of software within products is a controversial topic. Proponents point to CyberUL certification as a means of assuring that IoT products meet acceptable standards such as owner-unique passwords, automated software and firmware updates, and IoT product software that is free of SQL injection and Cross Site Scripting flaws. Proponents also see the CyberUL as a proactive measure to provide security safeguards for the vastly expanding digital infrastructure. Opponents point out that it is a major investment in a solution that addresses less than 0.1% of real-world attacks; many would rather see the investment in CyberUL transferred to fixing the problems that account for most attacks, such as unpatched software, bad passwords and users succumbing to phishing. Opponents also say that the cost associated with getting CyberUL certification can create a barrier to the introduction of innovative products.
This panel will discuss the pros and cons of the Cyber Assurance Program’s pursuit of a CyberUL certification and the impact it may have on the application security community. It will appeal to conference attendees who are interested in how policy affects technology, builders of new technologies that are targets for CyberUL certification, and breakers who may see the CyberUL as either an opportunity or a challenge to overcome.
Speakers
Joshua Corman
CTO | Founder | Founder, Sonatype | I am The Cavalry | Rugged
Joshua Corman is a Founder of I am The Cavalry (dot org) and Director of the Cyber Statecraft Initiative for the Atlantic Council. Corman previously served as CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research & strategy roles for The 451 Group and IBM Internet Security Systems.
Anita D'Amico
CEO, Code Dx, Inc.
Anita D’Amico, PhD is a survivor of one of the US government’s other programs for certifying security technology, the National Information Assurance Partnership (NIAP). She is CEO of Code Dx, Inc. which has commercialized innovative application security technology developed by Secure Decisions, an R&D organization which she also directs. She is an evangelist for making secure code development easier and more affordable.
Kevin Greene
Department of Homeland Security, Science and Technology
Kevin Greene works in the federal government overseeing software assurance and application security research and development projects. He currently is focusing on the build-out of the Software Assurance Marketplace (SWAMP), a national marketplace and collaborative research forum designed to advance secure software development best-practices within the industry.
The US Cybersecurity National Action Plan released in February 2016 announced that the US government, specifically the Department of Homeland Security, is collaborating with the Underwriters Laboratories and industry partners to develop a Cybersecurity Assurance Program that would test and certify the security of devices that are part of the Internet of Things (IoT), such as infusion pumps and refrigerators. One of the goals is to ensure that software embedded in these devices is free of vulnerabilities that could be exploited.
UL certification of software within products is a controversial topic. Proponents point to CyberUL certification as a means of assuring that IoT products meet acceptable standards such as owner-unique passwords, automated software and firmware updates, and IoT product software that is free of SQL injection and Cross Site Scripting flaws. Proponents also see the CyberUL as a proactive measure to provide security safeguards for the vastly expanding digital infrastructure. Opponents point out that it is a major investment in a solution that addresses less than 0.1% of real-world attacks; many would rather see the investment in CyberUL transferred to fixing the problems that account for most attacks, such as unpatched software, bad passwords and users succumbing to phishing. Opponents also say that the cost associated with getting CyberUL certification can create a barrier to the introduction of innovative products.
This panel will discuss the pros and cons of the Cyber Assurance Program’s pursuit of a CyberUL certification and the impact it may have on the application security community. It will appeal to conference attendees who are interested in how policy affects technology, builders of new technologies that are targets for CyberUL certification, and breakers who may see the CyberUL as either an opportunity or a challenge to overcome.
Speakers
Joshua Corman
CTO | Founder | Founder, Sonatype | I am The Cavalry | Rugged
Joshua Corman is a Founder of I am The Cavalry (dot org) and Director of the Cyber Statecraft Initiative for the Atlantic Council. Corman previously served as CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research & strategy roles for The 451 Group and IBM Internet Security Systems.
Anita D'Amico
CEO, Code Dx, Inc.
Anita D’Amico, PhD is a survivor of one of the US government’s other programs for certifying security technology, the National Information Assurance Partnership (NIAP). She is CEO of Code Dx, Inc. which has commercialized innovative application security technology developed by Secure Decisions, an R&D organization which she also directs. She is an evangelist for making secure code development easier and more affordable.
Kevin Greene
Department of Homeland Security, Science and Technology
Kevin Greene works in the federal government overseeing software assurance and application security research and development projects. He currently is focusing on the build-out of the Software Assurance Marketplace (SWAMP), a national marketplace and collaborative research forum designed to advance secure software development best-practices within the industry.