Putting a Bounty on Security

 
Blog-pic.jpg

The IoT includes many Things. It also has applications across many different markets. So, when we at ioXt looked at building a security compliance program, we faced the challenge of a wide array of products and services targeting existing and emerging markets from a global supply chain.

Providing a measurement of security must be accurate and up to date. Lab testing is great at delivering both. But what about providing another means of third-party verification, one that could benefit a far larger number of device makers scattered around the world? To have real impact, a security compliance program needs to be accessible to all manufacturers, small and large, new and established, domestic and international.

Many organizations have tried self-declaration methods of compliance to standards in the past. While responsible and effective in theory, the problem is programs of this type are only as good as the weakest device maker or participant. The first instance of false claims—i.e., lying about a device’s security--will cause all claims to be questioned and cast doubt on the quality of the entire program.

But what if there were a roadblock for potential mistakes or dishonesty? An accessible, affordable program for all that eliminated the possibility of inaccurate self-reporting?

One of the ioXt Alliance Security Pledge principles is that a manufacturer shall have a vulnerability reporting program. At the highest level, this would require a researcher rewards program—a means by which the device maker would be held accountable, and researchers would be financially incentivized to find all security weaknesses.

As we looked to expand beyond traditional testing, it became clear our ioXt Pledge provided the perfect roadmap for testing at scale. Our “aha moment” gave birth to the first-ever bonded manufacturer certification program.

The ioXt Certification Program offers device makers two routes for certifying products. In both instances, the certification records are made public for the consumer and the researcher. As with anything ioXt related, the goals for the Program are ensuring security, upgradability and transparency.

Manufacturers may choose traditional third-party test labs from a selection of ioXt Authorized Labs, which can perform both the ioXt Alliance Certification Program and deeper security testing. Or, manufacturers may choose to directly certify their devices meet the ioXt Alliance compliance requirements through the bonded manufacturer certification program: the first “researcher reward” certification program of its kind. Researchers get paid for “success,” which is defined as correctly identifying a vulnerability in the device being tested. Whenever a certification record submitted by the device maker is found to be inaccurate, the researcher works with the manufacturer to clearly identify the issue and verify it gets corrected. So, third-party validation occurs and guarantees the quality of compliance testing.

The ioXt Certification Program not only brings third-party validation to the masses, but it’s also the first security compliance program to provide continuous validation of the certification record throughout the entire life of the product--not just once, when the device first enters production. 

For companies creating great products, there are no extra costs. However, for those companies with less-than-stellar products, mistakes will be quickly uncovered by motivated researchers and corrected before the device hits the market.

The ioXt Certification Program makes compliance testing for everyone easy, so big as well as small manufacturers do right by consumers—who can now have confidence the next baby camera they set up won’t hand over the keys to their privacy and data.

That’s a certifiable win-win.

To learn more about the ioXt Certification Program, visit ioXtAlliance.org.