UL’s cyber assurance program (CAP) was recently discussed at OWASP’s AppSecUSA Security Conference in Washington, D.C.
Consumers rely on UL listings to certify the safety and reliability of products such as light bulbs, batteries and smoke detectors. UL conducts various tests — static, dynamic, binary and fuzzing — to evaluate whether network-connectable products contain any known vulnerabilities or software weaknesses and whether they can be mitigated or patched.
However, panelists at the premiere security conference questioned the value of UL’s CAP. While panelists supported the idea of having a software certification system, they questioned the capabilities of current software analysis tools to really certify software. Instead they emphasized that effective certification would require a suite of automated tools, and right now, it’s not clear what the existing tools can do. And there were other concerns as well.
One panel member, Anita Dmico, CEO of Code Dx, raised concerns about the cost of the certification program and its potential to create a barrier for smaller vendors and developers adding that the UL process runs the risk of emphasizing compliance rather than a risk management approach to software security.
The panelists added that the current certification process could create a false sense of security because a device or piece of software could be secure at the time of certification, but vulnerabilities might have slipped through the testing process or new ones could pop up in the future.
Unlike hardware that typically has a meantime to failure element, software is not so predictable. In the case of UL, it is not possible to create a secure certification process based on the way we do cyber security today. It would require that we literally engineer security into applications in order for the UL certification to work.
Ms. Dmico’s comments advocating a digital risk management (DRM) approach is spot on. While UL advocates in attendance confirmed that UL is looking for new and innovative tools that can better test and evaluate software but it recognizes that for now it has to make the most of what is available. At the same time, UL’s broader objective is to push industry to incorporate security and focus on managing risk.
DRM is a highly viable option for UL in an otherwise limited environment. A DRM framework would enable UL to develop a prescriptive, unified approach to measuring and managing digital risk at the heart of a cyber assurance program.
Ultimately a DRM framework becomes foundational for managing risk across various functions by relying on the quantification of the business impact of digital risk. This effort enables business leaders to understand the risk profile of their operations and for the organization as a whole to prioritize risk mitigation decisions based on the level of operational and financial risk.
For more information, check out our website on DRM solutions.