Product Tests enable vendors to independently verify the security claims made by OEM suppliers
Digital Assurance, the independent security assessment and information assurance consultancy, today announced the launch of its new Digital Product Assurance (DPA) service. DPA goes far beyond compliance and claims-based testing by subjecting digital products to aggressive real-world attacks. Suitable for hardware, software or hybrid digital systems, DPA provides a unique testing environment in which to independently validate or contest the security assertions made by OEM suppliers before committing to production. Stringent security tests emulate the types of attack the product might face when released on to the market and assess the competencies of proprietary O/S or DRM, making it the ideal testbed for high-end devices.
Vendors who seek to brand OEM goods usually have to rely upon the supplier to make the necessary security checks and assurances yet it is the vendor’s brand, customer relations and market share which are detrimentally affected if these have been exaggerated. Any product breach is likely to cause serious reputational damage and can incur high legal costs as the company seeks redress from the supplier. DPA provides the means to independently verify the security of a digital product at a time when it is increasingly important to assess the security stature of a prototype before committing to production. Examples of products that stand to benefit from DPA include:
•Access control systems and components
•IP cameras and CCTV systems
•Mobile and cordless phones
•Set-top digital TV units and smart TVs
•Games consoles
•Intruder and fire alarm systems
•SaaS offerings
•Radio communications systems (voice and data)
•Cashless vending systems
•MFD printers
•ANPR and traffic management equipment
•Process control field equipment (buildings automation and SCADA equipment)
Each DPA assessment is tailored to the product, the technology and its deployment environment and is designed to identify and expose potential security vulnerabilities. Other variables, such as the vendor’s business concerns from revenue protection, loss of reputation or legal implications can also be taken into account and factored into the comprehensive report which includes practical security enhancements on how to mitigate these risks.
A DPA hardware test subjects the product to physical attack by attempting access via management ports, debugging headers and other externally presented interfaces before analysing internal elements such as the printed circuit boards and storage devices. In the case of radio-based products, proprietary Digital Assurance tools coupled with Software Defined Radio (SDR) are used to try and intercept or manipulate the device. Software-based products are deployed directly onto a virtualised testbed infrastructure which is capable of mimicking the anticipated deployment environment. In any of these scenarios, DPA permits far more comprehensive assessments than can be undertaken in customer production or pre-production environments.
“DPA offers organisations at both ends of the supply chain the ability to identify and understand the risks and vulnerabilities in their products before going to market or committing to large scale deployments. Our team of testers can take these products apart and behave as a malicious user would, enabling the vendor to iron out discrepancies before the product comes to market,” said Phil Robinson, Director, Digital Assurance. “There are none of the repercussions associated with a product recall – the loss of consumer confidence, tarnished reputation or legal damages – and the vendor has gained an independent insight into the strengths and weaknesses of the product. Product pen testing has to be a prerequisite in what is now a cost and risk adverse market place.”
Digital Assurance Consulting Limited is exhibiting at stand J60 at Infosecurity Europe 2012, the No. 1 industry event in Europe held on 24th – 26th April 2012 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise.
Contact
www.infosec.co.uk