Verifying and validating the absence of known vulnerabilities, weaknesses and known malware in products, and the effective implementation of security controls.
Attackers regularly employ well-known vulnerabilities to penetrate networks, steal private data and gain control over critical systems. Attackers may use a compromised product to gain entry into any network or system to which the product is connected. Unless a business is capable of reviewing every line of code in every single product, it is a challenge to feel confident about the security of an IT ecosystem.
The UL Cybersecurity Assurance Program (CAP) brings peace of mind. CAP certification verifies that a product offers a reasonable level of protection against threats that may result in unintended or unauthorized access, change or disruption.
UL CAP assessment is based on the requirements of the UL 2900 Standard. UL 2900-1 and the subparts of UL 2900-2 contain product requirements that will be verified during a product assessment.
CAP-certified products are well positioned to thwart attempts to change a product’s functionality; access the data that a product collects, processes or stores; or utilize a flaw in the product to gain entry into any network or system to which the product is connected.
The product assessment involves testing, including:
- Scanning the product’s software executables and libraries for known vulnerabilities and exposures.
- Static code analysis on all source code that is made available to the laboratory by the vendor of the product, to look for software weaknesses as identified in the SANS Top 25 and OWASP Top 10.
- Static analysis of all compiled executables and libraries of the product for known malware and vulnerabilities.
- Dynamic runtime analysis of all software in the product to look for software weaknesses that cannot be discovered by using static code analysis.
- Robustness testing for all external interfaces and communication protocols of the product, using generational fuzz testing techniques, if available, and template-based fuzz testing techniques otherwise. Robustness testing aims to test the product’s resilience against unexpected or malformed input.
- Limited penetration testing.
A product’s software may be technically secure, including secure code patched to protect against known exploits, but without the correct implementation of applicable security controls, the product is still vulnerable to cyberattacks.
A product assessment verifies a product’s software is in compliance with required security controls. These security controls may include, but are not limited to, role-based access control, secure data storage, cryptography, key management, authentication, integrity and confidentiality of all data received and transmitted.
The UL 2900 Standard contains minimum requirements for each of these controls. The Standard contains requirements for the vendor to design the security controls in such a way that they demonstrably satisfy the security needs of the product. The Standard also describes testing and verification requirements aimed at collecting evidence that the designed security controls are implemented.