This is a weekly post where we address questions of interest to the Application Information Security Community. To that end, we’d love to hear your questions! Please Tweet us with the hashtag #ThinkAppSec or leave us a comment below.

Open Group O-TTPS – Identifying Trusted Providers of Hardware and Software Components

How do you know if the vendor providing hardware or software can be trusted? How do you know if their processes can be trusted to supply your organization with hardware and software that has not been maliciously tainted?

The Open Group, “a global consortium that enables the achievement of business objectives through IT standards,” began to work on these questions “in 2009 with a meeting of government and industry representatives, said Sally Long, director of [The Open Group’s Trusted Technology Forum]. “Government came to us and asked, ‘How do we know what businesses can be trusted?’” The Open Group consortium includes many vendors, IBM is one, but strives to be vendor neutral. The Open Group mission is to help companies with reliable and secure global interoperability not to recommend a single vendor or product.

To address the issue of technology trust, the Open Group established The Trusted Technology Forum, which published the Open Trusted Technology Provider Framework (O-TTPF) in February 2011.  The Framework sets forth best practices identified by a cross-industry forum which, if used by a technology vendor, may allow a government or commercial enterprise customer to consider the vendor’s products as more secure and trusted.

The best practices address, among other things, Product Development and Secure Engineering. Specific best practices in those categories include (but are not limited to):

Secure Engineering:

  • Threat modeling
  • Secure code design reviews
  • Risk assessments
  • Tooling to minimize risk
  • Static code analysis

Product Development:

  • Well documented processed and practices
  • Formally managed requirements, design, etc
  • Quality test management

The O-TTPF is complemented by the Open Trusted Technology Provider™ Standard (O-TTPS), Version 1.0 (April 2013) which contains a set of organizational guidelines, requirements, and recommendations for integrators, providers, and component suppliers to enhance the security of the global supply chain and the integrity of Commercial Off The Shelf (COTS) Information and Communication Technology (ICT). The standard encompasses the entire COTS ICT Lifecycle through: design, sourcing, build, fulfillment, distribution, sustainment, and disposal.

On February 3, 2014 The Open Group announced the launch of the Open Trusted Technology Provider™ Standard (O-TTPS) Accreditation Program to help companies assure the integrity of COTS ICT products and safeguard the global supply chain from Cybersecurity attacks. To be accredited, organizations must demonstrate that they conform to the O-TTPS requirements and have compliant processes and procedures in place that secure in-house development across the entire COTS ICT lifecycle.

When accredited, organization can identify themselves as Open Trusted Technology Providers™ and are included in the Open Group’s public registry of trusted providers. Completing accreditation means that an organization has followed O-TTPS to ensure that they “Build with Integrity” so their customers can “Buy with Confidence”. In January 2014, IBM received O-TTPS accreditation for the Application Infrastructure and Middleware (AIM) Software Business Division.

Andras Szakal, Vice President, Chief Technology Officer, IBM U.S. Federal IMT: said: “Secure by Design is a key tenant of the IBM secure engineering process. The Open Trusted Technology Provider™ Standard and Accreditation Program will help guide and recognize trusted technology vendors like IBM that value Secure by Design best practices.”

If you buy or build software or hardware for your organization, please take a closer look at the standard and guidance from The Open Trusted Technology Provider™ Standard and Accreditation Program.

 

And then, please let us know your thoughts on the program. Will this program help your organization “Buy with Confidence?” Why or why not?

How do you know if the vendor providing hardware or software can be trusted? How do you know if their processes can be trusted to supply your organization with hardware and software that has not been maliciously tainted?

What is the importance of software security in supply chain management?

Who Should be Responsible for Application Security Testing?

Can “generated code” be tested?

How do we secure application vulnerabilities and code development, particularly for mobile and social applications that are built by business units or reside on the cloud?

As a CISO, how can I control my organization’s testing methodologies, change management and deployment processes, without compromising on quality and project timelines?
How Can I Secure Apps in the Cloud?

Will the legal landscape change if software vendors can be sued without damages or loss being proven?
The Legal Landscape: Can vendors be sued without damages? What the heck is PII?

What is PII – How much can the definition expand?
Mobile Apps: Which are More Secure Android or iOS?

Does IoT (Internet of Things) “change everything” for Application Security?

What is the difference between PCI DSS and PA DSS?

How can we foster cooperation to help our Development and Security Teams work together?

How do I know my Cloud Service Provider (CSP) Applications are secure?

What can I do to help eradicate SQLi or at least reduce the incidence of SQLi vulns in our production applications?

Submit your questions via Twitter using #ThinkAppSec


 

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today