Should there be an Underwriters Laboratories certification for software in IoT products?

Presented at AppSec USA 2016, Oct. 13, 2016, 2:15 p.m. (60 minutes)

The US Cybersecurity National Action Plan released in February 2016 announced that the US government, specifically the Department of Homeland Security, is collaborating with the Underwriters Laboratories and industry partners to develop a Cybersecurity Assurance Program that would test and certify the security of devices that are part of the Internet of Things (IoT), such as infusion pumps and refrigerators. One of the goals is to ensure that software embedded in these devices is free of vulnerabilities that could be exploited. 

UL certification of software within products is a controversial topic. Proponents point to CyberUL certification as a means of assuring that IoT products meet acceptable standards such as owner-unique passwords, automated software and firmware updates, and IoT product software that is free of SQL injection and Cross Site Scripting flaws. Proponents also see the CyberUL as a proactive measure to provide security safeguards for the vastly expanding digital infrastructure. Opponents point out that it is a major investment in a solution that addresses less than 0.1% of real-world attacks; many would rather see the investment in CyberUL transferred to fixing the problems that account for most attacks, such as unpatched software, bad passwords and users succumbing to phishing. Opponents also say that the cost associated with getting CyberUL certification can create a barrier to the introduction of innovative products.

This panel will discuss the pros and cons of the Cyber Assurance Program's pursuit of a CyberUL certification and the impact it may have on the application security community. It will appeal to conference attendees who are interested in how policy affects technology, builders of new technologies that are targets for CyberUL certification, and breakers who may see the CyberUL as either an opportunity or a challenge to overcome.

Presenters:

• Joshua Corman - Founder - I am The Cavalry
  Joshua Corman is a Founder of I am The Cavalry (dot org) and Director of the Cyber Statecraft Initiative for the Atlantic Council. Corman previously served as CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research & strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to the world's increasing dependence on digital infrastructure. Josh's unique approach to security in the context of human factors, adversary motivations and social impact has helped position him as one of the most trusted names in security. He also serves as adjunct faculty for Carnegie Mellon's Heinz College and on the 2016 HHS Cybersecurity Task Force.
• Anita D'Amico - CEO - Code Dx, Inc.
  Anita D'Amico, PhD is a survivor of one of the US government's other programs for certifying security technology, the National Information Assurance Partnership (NIAP). She is CEO of Code Dx, Inc. which has commercialized innovative application security technology developed by Secure Decisions, an R&D organization which she also directs. She is an evangelist for making secure code development easier and more affordable. Her prior experience includes developing a network security visualization system, SecureScope, which was used as a test case by a Common Criteria Testing Laboratory in the early stages of the NIAP certification process. Anita has published papers on topics such as transitioning cyber security R&D into operations, security decision-making, and security visualization.
• Kevin Greene - Department of Homeland Security, Science and Technology
  Kevin Greene works in the federal government overseeing software assurance and application security research and development projects. He currently is focusing on the build-out of the Software Assurance Marketplace (SWAMP), a national marketplace and collaborative research forum designed to advance secure software development best-practices within the industry. Kevin has more than 17 years of cybersecurity and information assurance experience in program management, security operations, software assurance, security engineering, and security architecture. Kevin currently hosts the "Cybersecurity Insights and Perspectives" podcast on Fedscoop radio, and is a contributing author for Darkreading.com.

Links:

• https://appsecusa2016.sched.com/event/7tAB/should-there-be-an-underwriters-laboratories-certification-for-software-in-iot-products
• https://www.youtube.com/watch?v=isO7FlbBMhI

Similar Presentations:

• BSidesLV 2019 / Certification and Labeling in IoT
• Black Hat USA 1999 / Overview of Certification Systems: x.509, CA, PGP and SKIP.
• 31C3 (2014) / The Invisible Committee Returns with "Fuck Off Google": Cybernetics, Anti-Terrorism, and the ongoing case against the Tarnac 10