This is a weekly post where we address questions of interest to the Application Information Security Community. To that end, we’d love to hear your questions! Please Tweet us with the hashtag #ThinkAppSec or leave us a comment below.

Open Group O-TTPS – Identifying Trusted Providers of Hardware and Software Components

How do you know if the vendor providing hardware or software can be trusted? How do you know if their processes can be trusted to supply your organization with hardware and software that has not been maliciously tainted?

The Open Group, “a global consortium that enables the achievement of business objectives through IT standards,” began to work on these questions “in 2009 with a meeting of government and industry representatives, said Sally Long, director of [The Open Group’s Trusted Technology Forum]. “Government came to us and asked, ‘How do we know what businesses can be trusted?’” The Open Group consortium includes many vendors, IBM is one, but strives to be vendor neutral. The Open Group mission is to help companies with reliable and secure global interoperability not to recommend a single vendor or product.

To address the issue of technology trust, the Open Group established The Trusted Technology Forum, which published the Open Trusted Technology Provider Framework (O-TTPF) in February 2011.  The Framework sets forth best practices identified by a cross-industry forum which, if used by a technology vendor, may allow a government or commercial enterprise customer to consider the vendor’s products as more secure and trusted.

The best practices address, among other things, Product Development and Secure Engineering. Specific best practices in those categories include (but are not limited to):

Secure Engineering:

  • Threat modeling
  • Secure code design reviews
  • Risk assessments
  • Tooling to minimize risk
  • Static code analysis

Product Development:

  • Well documented processed and practices
  • Formally managed requirements, design, etc
  • Quality test management

The O-TTPF is complemented by the Open Trusted Technology Provider™ Standard (O-TTPS), Version 1.0 (April 2013) which contains a set of organizational guidelines, requirements, and recommendations for integrators, providers, and component suppliers to enhance the security of the global supply chain and the integrity of Commercial Off The Shelf (COTS) Information and Communication Technology (ICT). The standard encompasses the entire COTS ICT Lifecycle through: design, sourcing, build, fulfillment, distribution, sustainment, and disposal.

On February 3, 2014 The Open Group announced the launch of the Open Trusted Technology Provider™ Standard (O-TTPS) Accreditation Program to help companies assure the integrity of COTS ICT products and safeguard the global supply chain from Cybersecurity attacks. To be accredited, organizations must demonstrate that they conform to the O-TTPS requirements and have compliant processes and procedures in place that secure in-house development across the entire COTS ICT lifecycle.

When accredited, organization can identify themselves as Open Trusted Technology Providers™ and are included in the Open Group’s public registry of trusted providers. Completing accreditation means that an organization has followed O-TTPS to ensure that they “Build with Integrity” so their customers can “Buy with Confidence”. In January 2014, IBM received O-TTPS accreditation for the Application Infrastructure and Middleware (AIM) Software Business Division.

Andras Szakal, Vice President, Chief Technology Officer, IBM U.S. Federal IMT: said: “Secure by Design is a key tenant of the IBM secure engineering process. The Open Trusted Technology Provider™ Standard and Accreditation Program will help guide and recognize trusted technology vendors like IBM that value Secure by Design best practices.”

If you buy or build software or hardware for your organization, please take a closer look at the standard and guidance from The Open Trusted Technology Provider™ Standard and Accreditation Program.

 

And then, please let us know your thoughts on the program. Will this program help your organization “Buy with Confidence?” Why or why not?

How do you know if the vendor providing hardware or software can be trusted? How do you know if their processes can be trusted to supply your organization with hardware and software that has not been maliciously tainted?

What is the importance of software security in supply chain management?

Who Should be Responsible for Application Security Testing?

Can “generated code” be tested?

How do we secure application vulnerabilities and code development, particularly for mobile and social applications that are built by business units or reside on the cloud?

As a CISO, how can I control my organization’s testing methodologies, change management and deployment processes, without compromising on quality and project timelines?
How Can I Secure Apps in the Cloud?

Will the legal landscape change if software vendors can be sued without damages or loss being proven?
The Legal Landscape: Can vendors be sued without damages? What the heck is PII?

What is PII – How much can the definition expand?
Mobile Apps: Which are More Secure Android or iOS?

Does IoT (Internet of Things) “change everything” for Application Security?

What is the difference between PCI DSS and PA DSS?

How can we foster cooperation to help our Development and Security Teams work together?

How do I know my Cloud Service Provider (CSP) Applications are secure?

What can I do to help eradicate SQLi or at least reduce the incidence of SQLi vulns in our production applications?

Submit your questions via Twitter using #ThinkAppSec


 

More from Software Vulnerabilities

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today