The statement “Trust me” from a manufacturer requires evidence. Trusted third parties exist to verify this statement, assess the arguments and offer a verdict. Expertise, capability, accreditation and reputation come to mind when a trusted third party performs these assessments. Third parties like Brightsight offer a service to developers by providing an independent and impartial assessment on the security capabilities of products. This allows parties without prior knowledge, to consider trust criteria in order to operate in a trustworthy environment. A security certification will be the next step in the trust chain, by having a trusted 3rd party to confirm the findings of the evaluation party and establish the criteria for such evaluations.
From a laboratory perspective, there are two approaches to security: penetration testing and product evaluation.
1. Penetration testing
With penetration testing, Brightsight carries out a series of tests to hack the product. At the end of this process, the developer has an overview of what can or cannot be exploited in the product with certain knowledge. This provides the developer with immediate benefits, as most developers don’t think like hackers and are not necessarily up to date with the latest types of attacks.
2. Product evaluation
Product evaluation takes a more pragmatic approach. Brightsight first performs a vulnerability analysis to understand the potential vulnerabilities and countermeasures in place, and then elaborates a test plan to prove or disprove the hypothesis of potential vulnerability exploits. Additionally, the report generated will have a different level of recognition for certification purposes. Accreditation is an important element in the work of the security evaluation from accredited labs, since this qualifies the level of expertise but also the quality assurance on the work performed, and this reflected on the recognition of the evaluation reports.
From a security perspective, developers may wish to have security evaluations performed by an accredited evaluation laboratory because of a combination of the following factors:
1. Market differentiation
Developers might use the evidence not just as a differentiator or marketing communication tool, but also to translate it on evidence of the premium security features of their products.
2. Risk management
Knowing your product security capabilities also provide a clear return on investment in the area of risk management. The security report can serve as proof of due diligence, or help prevent security-related recalls – and the financial and reputational risks that come with them.
This is where the evaluation laboratory industry has its origins. Compliance is a key element for developers, as the evidence product from third-party evaluations translates into access to market.
In the digital, service-oriented economy, manufacturers reconsider their position towards risk appetite, security and security evidence as a competitiveness driver. All three of the factors mentioned above come into play here; for example, service providers may demand compliance and/or risk management mechanisms from their OEMs. The way to reach the goals of the fully digital society is trust.