Assessment of principle 25 #40
Comments
|
Replaced all security principles with a higher level version, see #3: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
[LDN meeting] re https://github.com/openiotmark/iotmark-principles/tree/v20180309#25-the-device-firmware-must-be-compliant-with-industry-security-standards
"Suggestion to change the principle to ""The organisation offers security support for the entire lifetime of the product"" - NICE TO HAVE
Assessment criteria:
Are there specific industry standards to mention?
"A product will be tested to see if its firmware is compliant with
Usage of latest available SDK’s
Monitor and patch with updates for core backend libraries (e.g. wifi libraries, web servers, XML parsers, etc. etc.), not just SDK updates.
A known-good failsafe firmware should be available
Fair use of Hardware Security Module
Use of on-chip cryptographic accelerators where available
Use of secure storage options where available
Usage of CRP where available
Secure Setup
Only necessary ports open/available
All services that handle sensitive data have adequate authentication
No debug ports are available (ssh/telnet/etc.)
No unnecessary services (e.g. FTP, TFTP, SMB, etc.)
Documented moves to detect and block basic brute force attacks (e.g. password bruteforcing, WPS Pixie Dust, service bruteforcing, etc.)
Remove Debug/Development headers from PCB (JTAG/UART/etc.)
The organisation’s product must be compliant with the IoTSF Security Compliance Framework
Assessment criteria: Relevant compliance class number is published on packaging and online presence of the organisation.
The organisation must take every precaution to protect usersits customers from the product being exposed to local / adjacent subnet attacks or any other attack.
"
The text was updated successfully, but these errors were encountered: