The document is a license from the IoT Security Initiative that allows others to share, adapt, and build upon the work as long as they provide attribution, do not use it for commercial purposes, and share adaptations under the same license terms. It specifies the license terms are provided under no warranty and refer to the full license terms on the Creative Commons website.
2. CC BY-NC-SA 4.0, 2018 – IoT Security Initiative – www.iotsi.org
This license lets others remix, tweak, and build upon this work non-commercially, as long as they credit the IoT Security Initiative and
this work and license their new creations under identical terms.
YOU ARE FREE TO
Share: Copy and redistribute the material in any medium or format.
Adapt: Remix, transform, and build upon the material.
The licensor cannot revoke these freedoms as long as you follow the license terms.
UNDER THE FOLLOWING TERMS
Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any
reasonable manner, but not in any way that suggests the licensor endorses you or your use.
NonCommercial: You may not use the material for commercial purposes.
ShareAlike: If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.
No additional restrictions: You may not apply legal terms or technological measures that legally restrict others from doing anything the
license permits.
NO WARRANTY
This material is furnished on an "as-is" basis. No warranties of any kind are made, either expressed or implied, as to any matter including,
but not limited to, warranty of fitness for purpose or merchantability, exclusivity, or results obtained from use of the material. No
warranties of any kind are made with respect to freedom from patent, trademark, or copyright infringement.
COMPLETE LICENSE TERMS & CONDITIONS CAN BE FOUND AT
https://creativecommons.org/licenses/by-nc-sa/4.0/
1www.iotsi.orgCC BY-NC-SA 4.0, 2018 - IoT Security Initiative
3. Vendor security testing and delivery requirements specified in contracts
Vendor secure product development program attestation
End-to-end data security reviewed and validated
End-to-end data privacy reviewed and validated
Software design and architecture security reviewed and validated
Network design and architecture security reviewed and validated
Product/service security requirements reviewed and/or provided
All solution custom code tested for vulnerabilities with static code analysis
Solution authentication and session design and technology reviewed and validated
Functional user security configuration settings design reviewed and validated
Solution password creation, storage, and reset design reviewed and validated
API security reviewed and validated
Device provisioning design and architecture reviewed and validated
User provisioning design and architecture reviewed and validated
Software/firmware-update model design and architecture reviewed and validated
Device embedded system security controls reviewed and validated
Device vulnerability assessment conducted
Security patch levels of all third party and open source production software current
Product/service security features/functions testing conducted
Device final-firmware package scanned for vulnerabilities
Back-end network, systems, and operations security controls reviewed and validated
Back-end network and system services vulnerability assessment
Web services dynamic vulnerability assessment
Penetration testing of end-to-end solution
Solution cryptographic key stored and managed securely
Source code repository security and access management in place
All security findings sufficiently remediated and managed
Given an end-to-end solution, ensure the following are accounted for prior to Production release or Go-Live. Require
below list items based on risk and testing process. Use ongoing for subsequent releases and as changes warrant.
COMPLETION STATUSSECURITY ACTIVITY
1 NA Pending Complete
2 NA Pending Complete
3 NA Pending Complete
4 NA Pending Complete
5 NA Pending Complete
6 NA Pending Complete
7 NA Pending Complete
8 NA Pending Complete
9 NA Pending Complete
10 NA Pending Complete
11 NA Pending Complete
12 NA Pending Complete
13 NA Pending Complete
14 NA Pending Complete
15 NA Pending Complete
16 NA Pending Complete
17 NA Pending Complete
18 NA Pending Complete
19 NA Pending Complete
20 NA Pending Complete
21 NA Pending Complete
22 NA Pending Complete
23 NA Pending Complete
24 NA Pending Complete
25 NA Pending Complete
26 NA Pending Complete
27 NA Pending Complete
2www.iotsi.orgCC BY-NC-SA 4.0, 2018 - IoT Security Initiative