Cyber UL certification: A time-saver for application security testers?
The US Cybersecurity National Action Plan, released in February 2016, announced that the US Department of Homeland Security (DHS) is collaborating with the Underwriters Laboratories and industry partners to develop a Cybersecurity Assurance Program (CAP) that will test and certify the security of network-connectable products and systems, such as medical infusion pumps, automobiles, smart meters, CCTV cameras, and appliances.
This plan comes in response to predictions by sources such as IDC that 66% of networks will have an IoT breach by 2018. One of the CAP goals is to ensure that software embedded in these devices is free of vulnerabilities that can be exploited to cause such a breach.
So the Underwriters Laboratories—yes, the same people who provide safety standards and certifications for power supply cords—have entered into the business of developing security standards and certifications for software. You may think, “But software is very different from power cords; it changes with every update.” Hold that thought; we’ll get back to it. Let’s go over the terrain first.
New security standards are born
The new UL CAP—a.k.a. Cyber UL—program offers the UL 2900 series of standards, which provide testing criteria for assessing software vulnerabilities and weaknesses, malware, and security controls in network-connectable products and systems. UL 2900-1 are the general requirements, 2900-2-1 are specific to healthcare systems, and 2900-2-2 address industrial control systems.
If you are developing software for internet-connected systems, you’ll want to check out these criteria; but you have to pay to see them—somewhere between $225 and $750 depending on the number and delivery format of the standards.
UL will also certify the software in your products, for a fee ranging from $40,000 to $150,000. That’s good for a year, after which you’ll need to recertify—unless, of course, you make major changes to your software, which will require earlier recertification.
UL CAP will also assess your organizational processes to assure that you, as a supplier of a certified product, adhere to secure development and maintenance processes. I don’t know how much that costs. If you want to self-assess, you should be able to use the new UL 2900-3 standard to guide you.
Who benefits from the UL CAP?
Vendors or suppliers of the software being testing can use the UL CAP as a method for assuring their consumers that they have achieved a certain level of security in their product and that they have processes in place to maintain that level of security. This can serve as a discriminator in the vendor’s market. Consumers can also benefit from a more secure supply chain of IoT products and systems. And the certifying laboratories will benefit from the increasing demand for certification and organizational assessment services.
A few potential downsides to UL CAP
If you go through the UL CAP certification, you will have to consider its impact on time to market and cost. If, as a supplier, you embed security testing into your own processes, you can control and predict the amount of time it will take. Once you get a third-party laboratory into the mix, this internal preparation will certainly help you move along the process more quickly, but there is no guarantee that the process will move along expeditiously.
What I’ve read is that it will take several months to complete the Cyber UL testing process. I recall that the initial stage of the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) took about a year and about $250,000; let’s hope that the Cyber UL is different. But there are costs to consider: the relatively small cost of buying the standards, the much larger (up to $150,000) cost of testing, and the recurring costs to assess the software annually or after each major software change.
Is certification giving a false sense of security?
Then there is the potential false sense of security that both suppliers and consumers will experience after the software has been certified. What does “certified” really mean — that the software is free of all vulnerabilities and weaknesses? Certainly not. We already know from benchmark studies performed by the National Security Agency’s Center for Assured Software that the average static analysis tool covers only eight of the thirteen weakness classes in the Common Weakness Enumeration (CWE), and finds only 22% of the known software flaws in those classes. Kevin Green of DHS calls weaknesses not found by a tool “residual risk,” which can be significant.
Because of this, best practices in application security testing require running multiple static analysis (referred to as SAST) tools and multiple dynamic application security testing (DAST) tools, then correlating their results to find most of the vulnerabilities in a code base. It’s needed to get “good vulnerability coverage.” Yet, as far as I’ve been able to uncover, the Underwriters Laboratories are using a suite of tools that use one tool to look at third party libraries, one for finding software weaknesses in source code, and one for fuzz testing. That doesn’t give me a lot of confidence that most of the vulnerabilities and weaknesses will be found.
Is UL CAP worthwhile?
The new standards are a step in the right direction. While UL CAP may not be perfect, it’s better than no security testing.
But if you are a software supplier, you shouldn’t wait until your code is ready for UL testing to check its security. You have to embed several types of security testing into your development and maintenance process, including static analysis of your code base, vulnerability assessment of third-party components, and dynamic testing of the code while running. If you’re not doing this type of testing, you are being remiss with respect to software security.
There is a lot of forward movement in the area of securing software. Cyber UL isn’t the only place to look for guidance. Josh Corman and Nicholas Percoco of I Am The Cavalry propose a Five Star Automotive Cyber Safety Program comprised of five steps: safety by design, third-party collaboration, evidence capture, security updates, and segmentation/isolation. For consumers, Sarah and Peiter (Mudge) Zatko of the Cyber Independent Testing Lab (CITL) will be offering a software assessment method akin to the Consumer Reports of software security. They will provide non-experts with metrics and measures to compare the quality and security of commercial software products.
If you’re developing software for network-connectable systems, it’s past time to adopt an internal application security strategy for its development and maintenance. It is the right thing to do, and, if you decide to go down the Cyber UL path, your preparations will save you time and money.
Image credit: Flickr