On Tuesday, Synopsys and Underwriter’s Laboratory (UL) announced they have collaborated to elevate transparency and confidence in the security of network-connectable devices through the creation of the UL Cybersecurity Assurance Program (UL CAP). The new certification enables device manufacturers to demonstrate diligence and provide security assurance to downstream customers and end users.
The UL CAP is an independent third-party testing and certification program for network-connectable products and software components, including industrial control systems (ICS), medical devices, in-vehicle software systems and other IoT devices.
This new certification program verifies compliance with UL 2900, a series of standards developed by UL with input from industry stakeholders. UL 2900 validates that a product offers a reasonable level of protection against cyber security risks that may result in unintended or unauthorized access, change or disruption.
The White House recently recognized UL CAP in the Cybersecurity National Action Plan as a key initiative in the coordinated effort between the Department of Homeland Security (DHS) and the private sector to enhance the Nation’s critical infrastructure security and resilience.
How to prepare for UL CAP certification with our Software Integrity Platform
Software security testing tools from Synopsys are designated for use in the UL Cybersecurity Assurance Program. Device manufacturers and component suppliers can proactively prepare for UL CAP certification by using the same tools as UL. Specifically, UL’s test lab uses Synopsys software testing tools to evaluate products against the following requirements:
- Known vulnerabilities and exposures. Black Duck Binary Analysis is used to scan a product’s software executables and libraries for known vulnerabilities and exposures.
- Software weaknesses. Coverity, our static code analysis tool, is used on all source code that is made available to the laboratory by the vendor to look for software weaknesses as identified in the SANS Top 25 and OWASP Top 10.
- Robustness testing. Defensics, the fuzz testing tool used to discover the Heartbleed vulnerability, is used to test all external interfaces and communication protocols of the product.